[Bug 1100295] Re: MD5 is insecure, add modern hashing
Seth Arnold
1100295 at bugs.launchpad.net
Fri Sep 2 20:34:26 UTC 2016
Marking Ubuntu GNOME as Invalid as that's just far too broad.
Marking debsums and dpkg as Wontfix because debsums is not intended to
be a security tool:
debsums is intended primarily as a way of determining what
installed files have been locally modified by the
administrator or damaged by media errors and is of limited
use as a security tool.
If you are looking for an integrity checker that can run from
safe media, do integrity checks on checksum databases and can
be easily configured to run periodically to warn the admin of
changes see other tools such as: aide, integrit, samhain, or
tripwire.
I suspect the list of suggested programs in the last sentence may need
some modification due to the passage of time.
debsums is not suitable for determining malicious modifications of the
filesystem. An attacker in a position to modify packaged files can
likely also replace debsums itself, any libraries that debsums may use,
the database of hashes, perhaps even kernel mechanisms that would hide
the effects of modified filesystems.
debsums is meant to help discover locally-modified programs and it
serves that purpose well even with md5.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/1100295
Title:
MD5 is insecure, add modern hashing
Status in Ubuntu GNOME:
Invalid
Status in debsums package in Ubuntu:
Won't Fix
Status in dpkg package in Ubuntu:
Won't Fix
Bug description:
MD5 is insecure due to hash collisions.
Add more modern and reliable hashing algorithms such as SHA-256 or
SHA-512.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-gnome/+bug/1100295/+subscriptions
More information about the foundations-bugs
mailing list