You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Timothee Maret (JIRA)" <ji...@apache.org> on 2017/03/13 10:45:04 UTC
[jira] [Assigned] (SLING-6638) Vault Package Builder should not
allow SHA1, MD5 digest algorithm
[ https://issues.apache.org/jira/browse/SLING-6638?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Timothee Maret reassigned SLING-6638:
-------------------------------------
Assignee: Timothee Maret
> Vault Package Builder should not allow SHA1, MD5 digest algorithm
> -----------------------------------------------------------------
>
> Key: SLING-6638
> URL: https://issues.apache.org/jira/browse/SLING-6638
> Project: Sling
> Issue Type: Bug
> Components: Content Distribution
> Affects Versions: Content Distribution Core 0.2.6
> Reporter: Timothee Maret
> Assignee: Timothee Maret
> Fix For: Content Distribution Core 0.2.8
>
>
> The {{VaultDistributionPackageBuilderFactory} [0] proposes the MD5, MD2 and SHA-1 algorithms, for which collisions could realistically be forged.
> SCD makes use of those algorithm for error detection (like a CRC) and not for security. Despite that, we should deprecate the use of those algorithms IMO.
> I propose to remove the three algorithms form the list of proposals, and throw and exception if a non supported algorithm is used. The component end up not being activated unless the configuration is corrected.
> [0] https://github.com/apache/sling/blob/trunk/contrib/extensions/distribution/core/src/main/java/org/apache/sling/distribution/serialization/impl/vlt/VaultDistributionPackageBuilderFactory.java#L191-L193
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)