Merge branch 'iElectric-feature.sha512_auth'

1 files changed, 19 insertions, 1 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 8d5a00e77..45fc19762 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -43,6 +43,24 @@ Bug Fixes
   attribute of the request.  It no longer fails in this case.  See
   https://github.com/Pylons/pyramid/issues/700
 
+Deprecations
+------------
+
+- The ``pyramid.authentication.AuthTktAuthenticationPolicy`` authentication
+  policy is deprecated in Pyramid 1.4 due to its use of the MD5 hashing
+  algorithm, which has known hash collision vulnerabilities.  The risk of an
+  exploit is low.  However, for improved authentication security, use the
+  ``pyramid.authentication.SHA512AuthTktAuthenticationPolicy`` instead.
+  Cookies generated by the AuthTktAuthenticationPolicy are not compatible with
+  cookies generated by the SHA512AuthTktAuthenticationPolicy, however, so
+  switching to the latter will imply that all existing users with a valid
+  cookie will be required to re-login.  The SHA-512 version is not compatible
+  with Apache's mod_auth_tkt either, so if you are relying on that
+  compatibility, you'll want to stick with the MD5 version.
+
+  A deprecation warning is now emitted when the AuthTktAuthenticationPolicy is
+  imported.
+
 Internals
 ---------
 
@@ -50,7 +68,7 @@ Internals
   move ``CyclicDependencyError`` from ``pyramid.config.util`` to
   ``pyramid.exceptions``, rename ``Singleton`` to ``Sentinel`` and move from
   ``pyramid.config.util`` to ``pyramid.config.util``; this is in an effort to
-  move that stuff that may be an API one day out of ``pyramid.config.util,
+  move that stuff that may be an API one day out of ``pyramid.config.util``,
   because that package should never be imported from non-Pyramid code.
   TopologicalSorter is still not an API, but may become one.