[Secure-testing-team] Bug#825123: debarchiver: release files generated by debarchiver use weak digest algos in signatures
Christoph Anton Mitterer
calestyo at scientia.net
Mon May 23 20:01:25 UTC 2016
Package: debarchiver
Version: 0.10.5
Severity: grave
Tags: security
Justification: renders package unusable
Hi.
It seems that the Release/etc. files generated by debarchiver
use SHA1 as signature algorithm.
aptitude/etc. in sid no longer accept these weak algos per default
and reject such repos.
Please switch to SHA512... and ideally make the used algo configurable
for those who think SHA512 is to costly for them and want to use
something lower.
Thanks,
Chris.
More information about the Secure-testing-team
mailing list