james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thibaut SAUTEREAU (JIRA)" <server-...@james.apache.org>
Subject [jira] [Created] (JAMES-2201) Vulnerable to SHAttered attack
Date Mon, 23 Oct 2017 03:09:00 GMT
Thibaut SAUTEREAU created JAMES-2201:

             Summary: Vulnerable to SHAttered attack
                 Key: JAMES-2201
                 URL: https://issues.apache.org/jira/browse/JAMES-2201
             Project: James Server
          Issue Type: Bug
          Components: mailbox
    Affects Versions: master
            Reporter: Thibaut SAUTEREAU
            Priority: Minor
             Fix For: master

Given the way SHA-1 is used to index attachments, it is vulnerable to the SHAttered attack
(https://shattered.io/), meaning you can overwrite the attachment of a first email with a
second email).

It is not critical yet as it took a lot of computational power from Google to generate those
2 PDFs, but this issue will probably become widespread in coming years and I think switching
to SHA-256 for instance is a low hanging fruit

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

View raw message