You are viewing a plain text version of this content. The canonical link for it is here.

Posted to docs@httpd.apache.org by bu...@apache.org on 2013/11/21 21:27:03 UTC

[Bug 55808] New: File integrity verification using MD5 and SHA1

https://issues.apache.org/bugzilla/show_bug.cgi?id=55808

            Bug ID: 55808
           Summary: File integrity verification using MD5 and SHA1
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: Other
               URL: https://httpd.apache.org/download.cgi
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
          Assignee: docs@httpd.apache.org
          Reporter: fedor.brunner@azet.sk

On the download page
https://httpd.apache.org/download.cgi
you are providing PGP, MD5 and SHA1 signatures for released files. The MD5
algorithm was broken, SHA1 algorithm is showing weaknesses. Your own developer
recommendations contain this information:
https://www.apache.org/dev/openpgp.html#sha1

Please remove the MD5 and SHA1 signatures. You can replace them with SHA2-256
or SHA2-512 signatures. The PGP signature is already using SHA2-512 algorithm.

Practical examples of MD5 attacks
http://www.win.tue.nl/hashclash/rogue-ca/
https://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx?Redirected=true

NIST required many applications in federal agencies to move to SHA-2 after 2010
because of the weakness.
http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org