Your message dated Sun, 15 Nov 2009 16:47:12 +1000
with message-id <20091115064712.gb15...@daedalus.andrew.net.au>
has caused the report #555668,
regarding elfsign uses MD5
to be marked as having been forwarded to the upstream software
author(s) Matt Miller <mmil...@hick.org>
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
555668: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555668
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Hi Matt,
What's the status of elfsign? It doesn't look like you've made a new release
in nearly 5 years. Are you planning on addressing the deficiencies of MD5 by
releasing a new version with SHA1 support?
Please maintain the Cc to keep our bug tracking system in the loop.
regards
Andrew
On Wed, Nov 11, 2009 at 12:00:51AM +0100, phcoder wrote:
> Package: elfsign
> Version: 0.2.2-2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> ELF sign uses MD5 which is vulnerable to collision attack. An attacker could
> prepare 2 ELF files: one legitimate and one malicious having same MD5, then
> submit legitimate one for signing and then transfer signature to malicious
> file. Also possible however more difficult to mount against source code.
> Note: Debian itself doesn't use ELF signatures
>
> -- System Information:
> Debian Release: squeeze/sid
> APT prefers unstable
> APT policy: (500, 'unstable'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.30-2-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages elfsign depends on:
> ii libc6 2.10.1-6 GNU C Library: Shared libraries
> ii libssl0.9.8 0.9.8k-5 SSL shared libraries
>
> elfsign recommends no packages.
>
> elfsign suggests no packages.
>
> -- no debconf information
>
>
--- End Message ---