diff --git a/typo3/sysext/backend/Classes/Authentication/PasswordReset.php b/typo3/sysext/backend/Classes/Authentication/PasswordReset.php
index 788eb640a57065730bab693e978a37bd41f30d04..c6b455d81834e0422976d59e71706afcea2768e1 100644
--- a/typo3/sysext/backend/Classes/Authentication/PasswordReset.php
+++ b/typo3/sysext/backend/Classes/Authentication/PasswordReset.php
@@ -297,7 +297,7 @@ class PasswordReset implements LoggerAwareInterface
             // no native SHA1/ CONCAT functionality, has to be done in PHP
             $stmt = $queryBuilder->execute();
             while ($row = $stmt->fetch()) {
-                if (hash('sha1', $row['email'] . (string)$row['uid']) === $identity) {
+                if (hash_equals(hash('sha1', $row['email'] . (string)$row['uid']), $identity)) {
                     $user = $row;
                     break;
                 }
diff --git a/typo3/sysext/core/Classes/Resource/ResourceCompressor.php b/typo3/sysext/core/Classes/Resource/ResourceCompressor.php
index b45acdea1556e3ad196ecd24ca032c31c9d73b02..00df858d170e3be0f69cc4d9ea3dc162474c9702 100644
--- a/typo3/sysext/core/Classes/Resource/ResourceCompressor.php
+++ b/typo3/sysext/core/Classes/Resource/ResourceCompressor.php
@@ -642,7 +642,7 @@ class ResourceCompressor
         $filename = $this->targetDirectory . 'external-' . md5($url);
         // Write only if file does not exist OR md5 of the content is not the same as fetched one
         if (!file_exists(Environment::getPublicPath() . '/' . $filename)
-            || (md5($externalContent) !== md5(file_get_contents(Environment::getPublicPath() . '/' . $filename)))
+            || !hash_equals(md5(file_get_contents(Environment::getPublicPath() . '/' . $filename)), md5($externalContent))
         ) {
             GeneralUtility::writeFile(Environment::getPublicPath() . '/' . $filename, $externalContent);
         }