You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Timothee Maret (JIRA)" <ji...@apache.org> on 2017/03/13 10:44:04 UTC
[jira] [Created] (SLING-6638) Vault Package Builder should not
allow SHA1, MD5 digest algorithm
Timothee Maret created SLING-6638:
-------------------------------------
Summary: Vault Package Builder should not allow SHA1, MD5 digest algorithm
Key: SLING-6638
URL: https://issues.apache.org/jira/browse/SLING-6638
Project: Sling
Issue Type: Bug
Components: Content Distribution
Affects Versions: Content Distribution Core 0.2.6
Reporter: Timothee Maret
Fix For: Content Distribution Core 0.2.8
The {{VaultDistributionPackageBuilderFactory} [0] proposes the MD5, MD2 and SHA-1 algorithms, for which collisions could realistically be forged.
SCD makes use of those algorithm for error detection (like a CRC) and not for security. Despite that, we should deprecate the use of those algorithms IMO.
I propose to remove the three algorithms form the list of proposals, and throw and exception if a non supported algorithm is used. The component end up not being activated unless the configuration is corrected.
[0] https://github.com/apache/sling/blob/trunk/contrib/extensions/distribution/core/src/main/java/org/apache/sling/distribution/serialization/impl/vlt/VaultDistributionPackageBuilderFactory.java#L191-L193
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)