Mark Thomas wrote: > Filip Hanik - Dev Lists wrote: >> you don't need to lobby, simply create a patch in Bugzilla > > Although it is likely to get ignored / end up as WONTFIX. I don't see > what the security issue is here. How does an MD5 collisions affect the > security of the session ID?
The only reason I can think of to apply it would be that md5 shouldn't enter the equation as an algorithm on a FIPS-140 application. But since anyone approaching this problem is trying to apply FIPS-140 to the SSL communications layer, and that the session and user credentials are probably not subjected to those rigours, you are possibly right. The real answer as Filip suggests is to offer a patch, and find a committer who will champion it and apply it for you :) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
