There are known Collision Attacks for the MD5SUM method of hashing, so it is possible to modify a file and make it have the same MD5SUM as another file. See this link for details on Collision Attacks:

http://en.wikipedia.org/wiki/Collision_attack

Recommendation from the US-CERT concerning MD5SUM hashes:

http://www.kb.cert.org/vuls/id/836068

Based on the above information, the CentOS team will be using sha256sum (sha-2) and not md5sum to generate future hashes for posting on our e-mail announcements to the CentOS Announce Mailing List.

Thanks, Johnny Hughes The CentOS Project