glance use insecure cryptographic algorithm: md5, to verify image integrity.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
New
|
Undecided
|
Unassigned |
Bug Description
OpenStack components default use md5 checksum image.SHA256, SHA512, or other more secure algorithms should be used.
Pre-conditions: NA
Step-by-step reproduction steps: NA
Expected output: NA
Actual output: NA
Version: Train
Environment: NA
Perceived severity: NA
Tags (Affected component): NA
Attachments: glance uses MD5 as the checksum by default.
For example:
glance/
def cache_tee_
try:
with self.driver.
for chunk in image_iter:
if (image_checksum and
msg = _("Checksum verification failed. Aborted "
Isn't this fixed thanks to the implementation of multihash? See https:/ /specs. openstack. org/openstack/ glance- specs/specs/ rocky/implement ed/glance/ multihash. html .