Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 914426

Summary: net-mail/asmail-2.1: uses deprecated MD5
Product: Gentoo Security Reporter: Pascal Jäger <pascal.jaeger>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Pascal Jäger 2023-09-19 09:09:24 UTC
The program uses MD5, deprecated by Openssl and considered insecure. 

Package has not been updated since 2011 and usage is questionable, upstream is dead.

Reproducible: Always
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-09-19 09:10:04 UTC
What is it actually using md5 for? It's fine in some contexts.
Comment 2 Hans de Graaff gentoo-dev Security 2023-09-24 06:50:08 UTC
The man page mentions POP3 authentication. Not sure if this is a problem in practice since I think you'll have a hard time finding a POP3 server that still allows non-tls authentication.
Comment 3 Pascal Jäger 2023-09-25 14:42:57 UTC
I was aiming for last riting the package and the security bug was just the cause I needed, tbh. 

The packages from https://tigr.net/afterstep/applets/ are all stale, most of them maintainer needed, last update about two decades ago. And than this vulnerability.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-09-27 02:17:34 UTC
I understand the intent, but I feel like that's kind of abuse of the procedure.

If you think there's an actual vulnerability, please state it clearly. Using MD5 *anywhere in the program* doesn't make it vulnerable - it depends on how it's used and what for.