hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dr Stephen A Hellberg (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-17226) Use strong hashing as security improvement
Date Thu, 28 Sep 2017 17:15:00 GMT

    [ https://issues.apache.org/jira/browse/HIVE-17226?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184485#comment-16184485
] 

Dr Stephen A Hellberg commented on HIVE-17226:
----------------------------------------------

What prospects for the backport?  I'd be interested to see No.1 addressing the update for
use of SHA-1 available on the older release lines.  Did it happen?

> Use strong hashing as security improvement
> ------------------------------------------
>
>                 Key: HIVE-17226
>                 URL: https://issues.apache.org/jira/browse/HIVE-17226
>             Project: Hive
>          Issue Type: Improvement
>          Components: Security
>            Reporter: Tao Li
>            Assignee: Tao Li
>             Fix For: 3.0.0
>
>
> There have been 2 places identified where weak hashing needs to be replaced by SHA256.
> 1. CookieSigner.java uses MessageDigest.getInstance("SHA"). Mostly SHA is mapped to SHA-1,
which is not secure enough according to today's standards. We should use SHA-256 instead.
> 2. GenericUDFMaskHash.java uses DigestUtils.md5Hex. MD5 is considered weak and should
be replaced by DigestUtils.sha256Hex.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message