2014-10-09 Flaw Discovered 2014-10-20 Vendor contacted 2014-10-21 Vendor response 2014-12-08 Vendor fix proposal 2014-12-08 Extension of embargo to 19.4.2015 2015-05-04 Extension of embargo until release of version 5.0 2015-05-18 Release of version 5.0 and public disclosure
The CollabNet Subversion Edge Management stores passwords as unsalted MD5 hashes. Unsalted MD5 hashes can easily be cracked by brute forcing the password.
Use a strong password storage algorithm like scrypt or PBKDF2.
We opted to go with bcrypt. It has more usage than scrypt and does not have any known vulnerabilities; it is also more easily supported with the subversion server, not just the Edge admin console. The strength factor is configurable.