Glance is still using outdated md5 for image signing
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Glance is still using md5 for image signing. MD5 is outdated and should not be used for security reason. It makes it possible for malicious users to generate malicious image with same hash values.
https:/
Glance already supports computing checksums of images when an image is uploaded, and this checksum is stored with the image. This same hash (which by default is MD5) will be used for the signature verification.
In the code:
https:/
line 242:
def cache_tee_
try:
with self.driver.
for chunk in image_iter:
information type: | Private Security → Public |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
description: | updated |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
Is this a duplicate of bug 1516031, and is this affecting stable/release ?