CVE-2017-7252: 
Botan vulnerability analysis and mitigation

Botan's bcrypt password hashing implementation before version 2.1.0 contained a critical security flaw where passwords with lengths between 57 and 72 characters were incorrectly truncated at 56 characters, instead of the standard bcrypt 72-character limit. This vulnerability was discovered and reported by Solar Designer in March 2017 (Vendor Advisory).

The vulnerability (CVE-2017-7252) affects the bcrypt password hashing mechanism in Botan versions from 1.11.0 to versions before 2.1.0. Due to incorrect implementation, the system would truncate passwords at 56 characters instead of the standard bcrypt specification of 72 characters. This implementation error means that for passwords between 57 and 72 characters in length, any characters beyond the 56th position were ignored during the hashing process (Vendor Advisory).

The truncation of passwords at 56 characters instead of 72 characters makes it easier for attackers to determine the cleartext password. For affected passwords (those between 57 and 72 characters), the final password bytes were ignored during hash computation, effectively weakening the password strength and making them more susceptible to cracking attempts (SUSE Bug).

The vulnerability was fixed in Botan version 2.1.0. Users of affected versions should upgrade to version 2.1.0 or later to address this issue. It's worth noting that some distributions, such as SUSE Linux Enterprise (SLE) 12, which used version 1.10.x, were not affected by this vulnerability (SUSE Bug).