Where should this be reported?
Either the checksum for ArcGIS-1081-S-UN2-PatchB.msp appears to be wrong, or the patch file is corrupt or compromised. I cannot validate the file against any published hash.
On the patch download page it is (MD5): 455ADECD1A49032B9AA338BE96173E18
In the patch notification file it is (MD5): 4DB7CA835962E6C2BFA85A7786FDE547 (this appears to be for the ArcGIS-1081-S-UN2-Patch.msp file (without the "B").
The value I calculate is: (MD5) B4B20C8491FC4EBF2AF612928B70391D
There are a number of other patches in the patch notification file that have missing or incorrect checksums: e.g.
ArcGIS-109-PFA-MM1-Patch.msp (has an (extra) leading 1 in the hash)
ArcGIS-1081-S-IS-Patch.msp (has an SHA256 and MD5 hash in the SHA256sums list and an incorrect MD5 hash in the MD5sums list)
ArcGIS-1081-S-PSTE-Patch.msp (has an incorrect SHA256 hash)
No. In that case, they were using the wrong hashing algorithm. If you read the details of my post, some of the hashes are missing, some of the hashes don't match the calculated hash (using the corresponding algorithm), and, in the .json file, some of the hashes are wrong and in the wrong hash list.