weak hashing algorithm used

Question

weak hashing algorithm used

Closed this issue 2 months ago · 2 comments

Mysql2 version: 3.11.0

I am writing this to raise an issue regarding weak hashing algorithm (SHA1) used in the mysql2 code.
This vapt is raised by the CISO team and we are seeking for a fix/patch for this issue.
Please provide your comment on this!

CODE

path: mysql2/lib/auth_41.js

function sha1(msg, msg1, msg2) {
  const hash = crypto.createHash('sha1');
  hash.update(msg);
  if (msg1) {
    hash.update(msg1);
  }

  if (msg2) {
    hash.update(msg2);
  }

  return hash.digest();
}

Answer 1 · 2024-09-11T14:40:38.000Z

It is required to connect to any server using mysql_native_password for authentication, since that plugin, which was standard for a very long time, uses sha-1

Answer 2 · 2024-09-11T19:46:52.000Z

Closing in favor of #3045.