On Tue, 2007-10-23 at 10:29 -0700, Robert Relyea wrote: > Simo Sorce wrote: > > On Tue, 2007-10-23 at 16:11 +0100, Daniel P. Berrange wrote: > > > >> Well for that matter GLibC itself has MD5 in it.... > >> > > > > Quick! Make it depend on NSS! :-) > > > in progress.;). > > /simo with 3 packages with the same bug filed I can't possibly fix as > > NSS simply do not have the relevant algorithms ... > > > Which algorithms are missing? > > If MD4 is one of the algorithms, We have a plan for that. MD4 is > fundamentally broken, has been for 10 years. There is only one > legitimate use of MD4 that I know of and that is support NTLM > (Microsoft's old NT authentication mechanism). In this case we need a > common NTLM library that all NTLM users call. Any other use of MD4 needs > to be identified and potentially squashed. Blind use of MD4 is > detrimental to the security of our products. > > If your product used MD4 for NTLM, we need a bug to create our common > NTLM library (probably means take and existing library and make it the > standard), and make your conversion depended on that library. If your > package used MD4 for something other than NTLM, we need to look at that > usage specifically to see if it's a security issue. FYI I am the maintainer of samba and pam_smb ... Simo. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
