MD5 and SHA-1 are widely deployed, and are included for that reason.
We strongly recommend that MD5 or SHA-1 not be used. You should plan to migrate to SHA-2 algorithms (or stronger) where possible. NIST recommends that SHA-1 should not be used for hashing after the end of 2010 for government applications. Forgery of MD5–based certificates using collision attacks is known. These are practical attacks, and MD5– based certificates should be replaced as soon as possible. Commercial CAs have stopped issuing MD5–based certificates, and are providing services to replace these certificates with SHA-1–based certificates.