On 29.01.20 15:21, Kevin A. McGrail wrote:
Correct, it's a policy issue. ASF Projects must stop providing SHA-1
signatures and we negotiated that deadline.
do you mean, not having updates is better than using sha-1?
wouldn't clients supporting sha256 still use those over sha-1 or do you
expect MITM attackers to hide sha256 hashes so fake sha-1 can be forged?
> On 29.01.20 14:12, Kevin A. McGrail wrote:
>> On behalf of the Apache SpamAssassin Project, I am pleased to announce
>> version 3.4.4 is available.
>>
>> Release Notes -- Apache SpamAssassin -- Version 3.4.4
>>
>> Introduction
>> ------------
>>
>> Apache SpamAssassin 3.4.4 is primarily a security release.
>>
>> In this release, there are bug fixes for two CVEs.
>>
>> *** On March 1, 2020, we will stop publishing rulesets with SHA-1
>> signatures.
>> If you do not update to 3.4.2 or later, you will be stuck at the last
>> ruleset with SHA-1 signatures. ***
On Wed, 29 Jan 2020, Matus UHLAR - fantomas wrote:
> I wonder, is it that hard to provide sha-1 signatures together with
> sha256?
On Wed, Jan 29, 2020 at 2:44 PM John Hardin <jhar...@impsec.org> wrote:
It's not hard to do that. It's insecure.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
