juju-core

blobstore's hashing needs improvement

Bug #1364750 reported by Andrew Wilkins on 2014-09-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	juju-core	Fix Released	High	Ian Booth	juju-core 1.21-alpha1

Bug Description

blobstore currently does MD5 & SHA-256, which is not any more secure than SHA-256 alone. See: http://crypto.stackexchange.com/questions/1170/best-way-to-reduce-chance-of-hash-collisions-multiple-hashes-or-larger-hash

Instead, use SHA-256 or SHA-512 alone. This must be done before we release anything using blobstore, which is about to enter as a dependency into master.

Revision history for this message

John A Meinel (jameinel) wrote on 2014-09-03:

This is important, but calling it Critical makes other actual Critical things less important. It would be critical if there was an actual security exploit and we needed to drop everything and fix it.

Changed in juju-core:
importance:	Critical → High
status:	New → Triaged

Revision history for this message

Andrew Wilkins (axwalk) wrote on 2014-09-03:

Sorry, wasn't meaning to suggest there was a security problem; just that we want to avoid having to migrate things unnecessarily later. This needs to be done before we release 1.21-alpha1 (assuming the code that uses blobstore lands), that's all.

Ian Booth (wallyworld) on 2014-09-09

Changed in juju-core:
assignee:	nobody → Ian Booth (wallyworld)
status:	Triaged → In Progress

Ian Booth (wallyworld) on 2014-09-09

Changed in juju-core:
status:	In Progress → Fix Committed

Curtis Hovey (sinzui) on 2014-09-10

Changed in juju-core:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.