Bug 169803
| Summary: | CVE-2005-2946 openssl insecure default message digest | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Josh Bressers <bressers> |
| Component: | openssl | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED WONTFIX | QA Contact: | Brian Brock <bbrock> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.0 | CC: | nalin |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | impact=low,source=cve,public=20050716,reported=20050916 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-02-19 14:14:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Josh Bressers
2005-10-03 20:44:35 UTC
There is more information regarding this here: https://bugzilla.ubuntu.com/show_bug.cgi?id=13593 As openssl.cnf is %config(noreplace) for all RHELs I think it shouldn't be a problem to fix it there too. It is really debatable if we want to change the default. On systems where security of issued certificates is really critical the sha1 hash should have been used a long ago and the default can be easily changed by modification of the config file. Also this fix is probably not enough as there should be also some changes on the verification side - at least some warnings when certificates with MD5 hashes are used or so. I've fixed this (changed the default to sha1) in Fedora Core development package. Leaving still open for the RHEL 4 and older consideration. won't fix for rhel4/3/2.1 |