We use Red Hat Insights to help us catch performance and security issues on our servers and as I get into it more I have seen this warning only related to Veeam install RPM packages on RHEL servers saying they are signed as SHA-1 and we should ask the vendor to update the signing as a known security issue. This affects RHEL 7 and 8 servers as well. Support requested I also post this here. Is there a contact our Cyber Security team can discuss this with to see about getting this updated?
The SHA-1 message digest has been deprecated in Red Hat Enterprise Linux (RHEL) 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.
The following package installed on this system are signed with SHA-1 algorithm:
veeam-libs
veeam
kmod-veeamsnap
For some reason RHEL 8 is showing the same thing and RHEL still thinks it is SHA-1. Is there someone I can try to connect with Red Hat to look into this?