[Openstack-security] [Bug 1649634] Change abandoned on cinder (master)
Change abandoned by Sean McGinnis (sean.mcginnis at gmail.com) on branch: master
Reason: A few months with no updates. Feel free to restore and update if you wish to continue with this.
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
Insecure Randomness for AES Passphrase Generation
Status in Cinder:
Status in OpenStack Security Advisory:
In cinder/volume/drivers/synology/synology_common.py:176 in function
_random_AES_passpharse() (sic) randint is used to generate an index
that is used to select which character is added to the AES key.
However, this is insecure and is stated in the Python documentation
where they write "The pseudo-random generators of this module should
not be used for security purposes."
They recommend instead using os.urandom() or SystemRandom if a
cryptographically secure prng is required.
The proposed fix would be to simply be to use SystemRandom as it has
all of the same functions from random implemented and does not require
any new libraries.
Another option is to use the Crypto library which is already imported
in the file.
To manage notifications about this bug go to: