Bug 43222

GemStone/S 64 Bit,,,, 3.1

UserProfile>>password: for users that haven't logged in after upgrade corrupts password history

When disallowUsedPasswords: true is set, the encrypted passwords and associated
"salt" used for encryption are stored, so later password assignments can
determine if the password was previously used.  In v3.1, password hanlding
changed, which changed the details of the data that must be stored.  On
systems that were upgraded from 2.x, when an administrator changes the
password of a user (using password:), if the user has not previously logged
into the 3.1.x repository, the salt values for the password being added
to the old passwords is not stored correctly.

When the user next attempt to change their password, it will attempt to
read the old passwords to verify the new password was not previously used,
resulting in a gem crash with SEGV.

The SEGV causes no other problems and the user account is fine, but old
passwords must be cleared before the user's will be able to change their
own password.


If the user has logged into 3.x prior to the password being changed by
the administrator, there is no problem.  Otherwise, you will need to clear
the old passwords of the user after changing their password by executing
  <userProfile> clearOldPasswords

Last updated: 8/12/13