Description
Feature or enhancement
Remove insecure use of md5 in Multiprocessing.connection
Pitch
We discovered uses off the md5 hash, which has been proven insecure for more than a decade, in the Multiprocessing.connection library in the methods deliver_challenge and answer_challenge. This usage was apparently added in 2013 since the default implicit hashing mode for hmac.new was deprecated at that time. hmac.new previously defaulted to MD5 if a hashing algorithm was not specified. The 2013 change brings to code back to consistency with its prior use, but that use is insecure. It should be trivial to change the two uses in this library to a SHA2/3 secure hashing function (e.g., SHA512).
Failure to update the hashing algorithm may require organizations to fully cease use of the Multiprocessing library or components of the library to meet industry security standards with respect to acceptable uses of hashing algorithms.