Merge branch 'fix.695'

1 files changed, 9 insertions, 14 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index a9ce80712..43a910f96 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -4,6 +4,10 @@ Next release
 Features
 --------
 
+- ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been updated to
+  support newer hashing algorithms such as ``sha512``. Existing applications
+  should consider updating if possible.
+
 - Added an ``effective_principals`` route and view predicate.
 
 - Do not allow the userid returned from the ``authenticated_userid`` or the
@@ -47,20 +51,11 @@ Bug Fixes
 Deprecations
 ------------
 
-- The ``pyramid.authentication.AuthTktAuthenticationPolicy`` authentication
-  policy is deprecated in Pyramid 1.4 due to its use of the MD5 hashing
-  algorithm, which has known hash collision vulnerabilities.  The risk of an
-  exploit is low.  However, for improved authentication security, use the
-  ``pyramid.authentication.SHA512AuthTktAuthenticationPolicy`` instead.
-  Cookies generated by the AuthTktAuthenticationPolicy are not compatible with
-  cookies generated by the SHA512AuthTktAuthenticationPolicy, however, so
-  switching to the latter will imply that all existing users with a valid
-  cookie will be required to re-login.  The SHA-512 version is not compatible
-  with Apache's mod_auth_tkt either, so if you are relying on that
-  compatibility, you'll want to stick with the MD5 version.
-
-  A deprecation warning is now emitted when the AuthTktAuthenticationPolicy is
-  imported.
+- ``pyramid.authentication.AuthTktAuthenticationPolicy`` will emit a warning
+  if an application is using the policy without explicitly setting the
+  ``hashalg``. This is because the default is "md5" which is considered
+  insecure. If you really want "md5" then you must specify it explicitly to
+  get rid of the warning.
 
 Internals
 ---------