Bug#641950: secuity of Crypt::RC4
Guy Hulbert
gwhulbert at eol.ca
Sun Sep 18 17:40:59 UTC 2011
On Sun, 2011-18-09 at 15:11 +0200, Florian Weimer wrote:
> * Nicholas Bamber:
>
> > Please could have someone have a look at #641950? This module was
> > packaged as it has been flagged up as a dependency of a new version of
> > an existing package. However based upon the comments in the bug report
> > it really is something we do not wish to encourage.
> > In any case the CPAN module seems to be dead upstream. Should we simply
> > adjust the description (and if so what tone should be taken) or should
> > the package be removed?
>
> RC4 is used by protocols we might want to implement, so we need the
> code. As far as I understand it, there are relatively safe ways to
> use the cipher, even though it is severely broken.
This is a good summary for SSH.
http://tools.ietf.org/html/rfc4345
It is used for speed ... the RFC says use with caution and not for high
volume applications. There are links to further references within.
It's also used in SSL.
The wikipedia page on RC4 has more details and references.
--
--gh
More information about the pkg-perl-maintainers
mailing list