[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1649634] Change abandoned on cinder (master)

Change abandoned by Sean McGinnis (sean.mcginnis at gmail.com) on branch: master
Review: https://review.openstack.org/410874
Reason: A few months with no updates. Feel free to restore and update if you wish to continue with this.

You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.

  Insecure Randomness for AES Passphrase Generation

Status in Cinder:
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  In cinder/volume/drivers/synology/synology_common.py:176 in function
  _random_AES_passpharse() (sic) randint is used to generate an index
  that is used to select which character is added to the AES key.
  However, this is insecure and is stated in the Python documentation
  where they write "The pseudo-random generators of this module should
  not be used for security purposes."

  They recommend instead using os.urandom() or SystemRandom if a
  cryptographically secure prng is required.

  The proposed fix would be to simply be to use SystemRandom as it has
  all of the same functions from random implemented and does not require
  any new libraries.

  Another option is to use the Crypto library which is already imported
  in the file.

To manage notifications about this bug go to: