[Galene] ANNOUNCE: galene-0.96.2

[Galene] ANNOUNCE: galene-0.96.2

[Juliusz Chroboczek]

Dear all,

Galene 0.96.1 is available by doing

    git clone -b galene-0.96.1 https://github.com/jech/galene

The main reason for this release is that it fixes a security issue,
introduced in 0.96.1, that could cause us to erroneously grant access with
an incorrect password.  A mitigating factor is that only plaintext
passwords are affected.

If you've already upgraded to 0.96.1, please upgrade to 0.96.2 as soon as
possible.

This release also includes support for background blur under Safari, and
some other security-related changes.

-- Juliusz

21 January 2025: Galene 0.96.2

  * Fix a bug, introduced in 0.96.1, that could cause plaintext passwords
    to be erroneously accepted even when incorrect.
  * Implement background blur on Safari.
  * Change the default hashing algorithm to bcrypt.  We use a cost of 8 in
    order to keep hashing times under 25ms, even though 10 is currently
    the recommended minimum.
  * Limit the number of concurrent password hashing operations to the
    number of CPUs.  This avoids using excessive memory when many users
    log in at the same time.

[Galene] Re: ANNOUNCE: galene-0.96.2

[Juliusz Chroboczek]

> 21 January 2025: Galene 0.96.2
> 
>   * Fix a bug, introduced in 0.96.1, that could cause plaintext passwords
>     to be erroneously accepted even when incorrect.
>   * Implement background blur on Safari.
>   * Change the default hashing algorithm to bcrypt.  We use a cost of 8 in
>     order to keep hashing times under 25ms, even though 10 is currently
>     the recommended minimum.
>   * Limit the number of concurrent password hashing operations to the
>     number of CPUs.  This avoids using excessive memory when many users
>     log in at the same time.

Oh, I forgot to mention that the minimum TLS version is now 1.2.  This
should not affect any recent browsers.

-- Juliusz