[MDEV-12701] ACL secured by SHA1 algorithm too weak/out dated Created: 2017-05-05  Updated: 2017-05-05  Resolved: 2017-05-05

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Plugins
Fix Version/s: 10.1.22, 10.2.5

Type: Task Priority: Critical
Reporter: Adam Kubina Assignee: Sergei Golubchik
Resolution: Duplicate Votes: 0
Labels: PCI, audit, sha1

Issue Links:
Duplicate
is duplicated by MDEV-12160 Modern alternative to the SHA1 authen... Closed

 Description   

SHA1 is known as unsecure/weak.
There should be a secure hashing alternative.

PCI Certified Enterprises can expect problems with auditing.

https://www.heise.de/security/meldung/Todesstoss-Forscher-zerschmettern-SHA-1-3633589.html
https://shattered.it/

 Comments   
Comment by Sergei Golubchik [ 2017-05-05 ]

MariaDB SHA1 authentication is still secure. The shattered.it attack only allows someone to generate two passwords with the same SHA1 hash, it does not help to generate a password with a given SHA1 hash.

Anyway, we have a SHA1 alternative, it was implemented in MDEV-12160

See also

Generated at Thu Feb 08 07:59:46 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.