TYPO3 Core

• Replace current HMAC-SHA1 by stronger hashing algorithm.
• Consider updating cHash to use (stronger) HMAC as well

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile&v=10

Quote on HMAC-SHA1 (document viewed March 5th, 2025)

HMAC-SHA1 SHA1 is not a collision-resistant hash function. The generation of SHA1 collisions, while requiring moderate effort, is practically possible [75, 74, 107], even though, according to current knowledge, there are no known weaknesses when using SHA1 in constructions that do not require collision resistance (for example, as the basis for an HMAC, as part of the mask generation function in RSA-OAEP, or as a component of a pseudorandom number generator). However, as a basic security measure, it is recommended to use a hash function of the SHA2 or SHA3 family in these applications as well.