Package: libmail-dkim-perl Version: 0.54-1 Severity: normal Dear Maintainer,
This package ships with /usr/bin/dkimproxy-sign, from dkim-proxy, which is hardcoded to use rsa-sha1 for signing. Beyond being generally weak, SHA-1 is now explicitly banned for DKIM use by RFC 8301: "Due to the recognized weakness of the SHA-1 hash algorithm (see [RFC6194]) and the wide availability of the SHA-256 hash algorithm (it has been a required part of DKIM [RFC6376] since it was originally standardized in 2007), the SHA-1 hash algorithm MUST NOT be used." While ideally the user should be allowed to choose, if it is going to be hardcoded, at least the hardcoded value should be SHA-256 rather than SHA-1. The supplied patch addresses this, and I would appreciate if it could be applied. Thanks. -- System Information: Debian Release: 10.4 APT prefers stable APT policy: (900, 'stable'), (500, 'testing') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 4.19.0-0.bpo.5-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libmail-dkim-perl depends on: ii libcrypt-openssl-rsa-perl 0.31-1+b1 ii libdigest-sha-perl 6.02-1+b1 ii liberror-perl 0.17027-2 ii libmailtools-perl 2.18-1 ii libnet-dns-perl 1.19-1 ii libperl5.24 [libdigest-sha-perl] 5.24.1-3+deb9u5 ii perl [libdigest-sha-perl] 5.28.1-6 libmail-dkim-perl recommends no packages. libmail-dkim-perl suggests no packages. -- no debconf information
--- /usr/bin/dkimproxy-sign 2018-12-04 21:15:55.000000000 +0100 +++ /usr/local/bin/dkimproxy-sign 2020-05-24 22:34:35.585654976 +0200 @@ -16,7 +16,7 @@ my $type = "dkim"; my $selector = "selector1"; -my $algorithm = "rsa-sha1"; +my $algorithm = "rsa-sha256"; my $method = "simple"; my $domain; # undef => auto-select domain my $expiration;
