spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matus UHLAR - fantomas <uh...@fantomas.sk>
Subject Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available
Date Thu, 30 Jan 2020 09:44:09 GMT
On 29.01.20 15:21, Kevin A. McGrail wrote:
>Correct, it's a policy issue.  ASF Projects must stop providing SHA-1
>signatures and we negotiated that deadline.

do you mean, not having updates is better than using sha-1?

wouldn't clients supporting sha256 still use those over sha-1 or do you
expect MITM attackers to hide sha256 hashes so fake sha-1 can be forged?

>> > On 29.01.20 14:12, Kevin A. McGrail wrote:
>> >> On behalf of the Apache SpamAssassin Project, I am pleased to announce
>> >> version 3.4.4 is available.
>> >>
>> >> Release Notes -- Apache SpamAssassin -- Version 3.4.4
>> >>
>> >> Introduction
>> >> ------------
>> >>
>> >> Apache SpamAssassin 3.4.4 is primarily a security release.
>> >>
>> >> In this release, there are bug fixes for two CVEs.
>> >>
>> >> *** On March 1, 2020, we will stop publishing rulesets with SHA-1
>> >> signatures.
>> >>     If you do not update to 3.4.2 or later, you will be stuck at the last
>> >>     ruleset with SHA-1 signatures. ***


>> On Wed, 29 Jan 2020, Matus UHLAR - fantomas wrote:
>> > I wonder, is it that hard to provide sha-1 signatures together with
>> > sha256?

>On Wed, Jan 29, 2020 at 2:44 PM John Hardin <jhardin@impsec.org> wrote:
>> It's not hard to do that. It's insecure.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm

Mime
View raw message