This needs investigation, but I'm splitting it out from another bug. From Seth Robertson here: https://bugs.gentoo.org/699414#c0 > I also am *extremely* dubious about the default of 512 bits of RSA key being > used by sendmail for this key generation. The "enhanced" default of 1024 > bits for FIPS is pretty dubious as well (though possibly required). I'm not > sure what this RSA key is being used for, but 512 bits could be broken for > $75 in 2015 > https://arstechnica.com/information-technology/2015/10/breaking-512-bit-rsa- > with-amazon-ec2-is-a-cinch-so-why-all-the-weak-keys/ so I cannot imagine it > is a good default. However, technically this is a different matter that the > primary bug and nothing to do with gentoo patches being broken. See > RSA_KEYLENGTH in sendmail.h if you want to fix it as an extremely good idea. I have filed this as bug . Note that net-mail/sendmail is maintainer-needed, so a patch would be appreciated.
(In reply to Sam James (sam_c) (security padawan) from comment #0) > This needs investigation, but I'm splitting it out from another bug. > > From Seth Robertson here: https://bugs.gentoo.org/699414#c0 > > I also am *extremely* dubious about the default of 512 bits of RSA key being > > used by sendmail for this key generation. The "enhanced" default of 1024 > > bits for FIPS is pretty dubious as well (though possibly required). I'm not > > sure what this RSA key is being used for, but 512 bits could be broken for > > $75 in 2015 > > https://arstechnica.com/information-technology/2015/10/breaking-512-bit-rsa- > > with-amazon-ec2-is-a-cinch-so-why-all-the-weak-keys/ so I cannot imagine it > > is a good default. However, technically this is a different matter that the > > primary bug and nothing to do with gentoo patches being broken. See > > RSA_KEYLENGTH in sendmail.h if you want to fix it as an extremely good idea. > > I have filed this as bug . Note that net-mail/sendmail is maintainer-needed, > so a patch would be appreciated. Ignore the last few lines.. :)