Re: Should we settle on one SSL implementation?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2007-10-23 at 10:29 -0700, Robert Relyea wrote:
> Simo Sorce wrote:
> > On Tue, 2007-10-23 at 16:11 +0100, Daniel P. Berrange wrote:
> >   
> >> Well for that matter GLibC itself has MD5 in it....
> >>     
> >
> > Quick! Make it depend on NSS! :-)
> >   
> in progress.;).
> > /simo with 3 packages with the same bug filed I can't possibly fix as
> > NSS simply do not have the relevant algorithms ...
> >   
> Which algorithms are missing?
> 
> If MD4 is one of the algorithms,  We have a plan for that. MD4 is 
> fundamentally broken, has been for 10 years. There is only one 
> legitimate use of MD4 that I know of and that is support NTLM 
> (Microsoft's old NT authentication mechanism). In this case we need a 
> common NTLM library that all NTLM users call. Any other use of MD4 needs 
> to be identified and potentially squashed. Blind use of MD4 is 
> detrimental to the security of our products.
> 
> If your product used MD4 for NTLM, we need a bug to create our common 
> NTLM library (probably means take and existing library and make it the 
> standard), and make your conversion depended on that library. If your 
> package used MD4 for something other than NTLM, we need to look at that 
> usage specifically to see if it's a security issue.

FYI I am the maintainer of samba and pam_smb ...

Simo.

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux