Summary: | net-misc/sendmail: Possibly inadequate key sizes for RSA | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Auditing | Assignee: | Gentoo Security <security> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | kredba |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Sam James
2020-03-30 15:17:18 UTC
(In reply to Sam James (sam_c) (security padawan) from comment #0) > This needs investigation, but I'm splitting it out from another bug. > > From Seth Robertson here: https://bugs.gentoo.org/699414#c0 > > I also am *extremely* dubious about the default of 512 bits of RSA key being > > used by sendmail for this key generation. The "enhanced" default of 1024 > > bits for FIPS is pretty dubious as well (though possibly required). I'm not > > sure what this RSA key is being used for, but 512 bits could be broken for > > $75 in 2015 > > https://arstechnica.com/information-technology/2015/10/breaking-512-bit-rsa- > > with-amazon-ec2-is-a-cinch-so-why-all-the-weak-keys/ so I cannot imagine it > > is a good default. However, technically this is a different matter that the > > primary bug and nothing to do with gentoo patches being broken. See > > RSA_KEYLENGTH in sendmail.h if you want to fix it as an extremely good idea. > > I have filed this as bug . Note that net-mail/sendmail is maintainer-needed, > so a patch would be appreciated. Ignore the last few lines.. :) |