Summary: | net-mail/asmail-2.1: uses deprecated MD5 | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Pascal Jäger <pascal.jaeger> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Pascal Jäger
2023-09-19 09:09:24 UTC
What is it actually using md5 for? It's fine in some contexts. The man page mentions POP3 authentication. Not sure if this is a problem in practice since I think you'll have a hard time finding a POP3 server that still allows non-tls authentication. I was aiming for last riting the package and the security bug was just the cause I needed, tbh. The packages from https://tigr.net/afterstep/applets/ are all stale, most of them maintainer needed, last update about two decades ago. And than this vulnerability. I understand the intent, but I feel like that's kind of abuse of the procedure. If you think there's an actual vulnerability, please state it clearly. Using MD5 *anywhere in the program* doesn't make it vulnerable - it depends on how it's used and what for. |