Timothee Maret created SLING-6638: ------------------------------------- Summary: Vault Package Builder should not allow SHA1, MD5 digest algorithm Key: SLING-6638 URL: https://issues.apache.org/jira/browse/SLING-6638 Project: Sling Issue Type: Bug Components: Content Distribution Affects Versions: Content Distribution Core 0.2.6 Reporter: Timothee Maret Fix For: Content Distribution Core 0.2.8
The {{VaultDistributionPackageBuilderFactory} [0] proposes the MD5, MD2 and SHA-1 algorithms, for which collisions could realistically be forged. SCD makes use of those algorithm for error detection (like a CRC) and not for security. Despite that, we should deprecate the use of those algorithms IMO. I propose to remove the three algorithms form the list of proposals, and throw and exception if a non supported algorithm is used. The component end up not being activated unless the configuration is corrected. [0] https://github.com/apache/sling/blob/trunk/contrib/extensions/distribution/core/src/main/java/org/apache/sling/distribution/serialization/impl/vlt/VaultDistributionPackageBuilderFactory.java#L191-L193 -- This message was sent by Atlassian JIRA (v6.3.15#6346)