james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antoine Duprat (JIRA)" <server-...@james.apache.org>
Subject [jira] [Resolved] (JAMES-2201) Vulnerable to SHAttered attack
Date Wed, 08 Nov 2017 10:44:00 GMT

     [ https://issues.apache.org/jira/browse/JAMES-2201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Antoine Duprat resolved JAMES-2201.
    Resolution: Fixed


> Vulnerable to SHAttered attack
> ------------------------------
>                 Key: JAMES-2201
>                 URL: https://issues.apache.org/jira/browse/JAMES-2201
>             Project: James Server
>          Issue Type: Bug
>          Components: mailbox
>    Affects Versions: master
>            Reporter: Thibaut SAUTEREAU
>            Priority: Minor
>             Fix For: master
> Given the way SHA-1 is used to index attachments, it is vulnerable to the SHAttered attack
(https://shattered.io/), meaning you can overwrite the attachment of a first email with a
second email).
> It is not critical yet as it took a lot of computational power from Google to generate
those 2 PDFs, but this issue will probably become widespread in coming years and I think switching
to SHA-256 for instance is a low hanging fruit.
> The same problem arises with Cassandra blob IDs.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

View raw message