kolla

fetch_ceph_keys.py uses insecure sha1 function

  1. Series stein
  2. Bug #1826327
Bug #1826327 reported by Michal Nasiadka
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Fix Released
Medium
Unassigned
kolla 9.0.0 "Train"
Queens
Fix Committed
Medium
Unassigned
kolla 6.2.4 "queens"
Rocky
Fix Committed
Medium
Unassigned
kolla 7.0.4 "rocky"
Stein
Fix Released
Medium
Unassigned
Train
Fix Released
Medium
Unassigned
kolla 9.0.0 "Train"
kolla-ansible
Fix Released
Medium
Michal Nasiadka
kolla-ansible 9.0.0 "Train"
Queens
Fix Committed
Medium
Unassigned
Rocky
Fix Committed
Medium
Unassigned
Stein
Fix Committed
Medium
Unassigned
kolla-ansible 8.1.0 "Stein"
Train
Fix Released
Medium
Michal Nasiadka
kolla-ansible 9.0.0 "Train"

Bug Description

Bandit test results:

2019-04-24 19:47:37.474705 | ubuntu-bionic | Test results:
2019-04-24 19:47:37.474825 | ubuntu-bionic | >> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
2019-04-24 19:47:37.474900 | ubuntu-bionic | Severity: Medium Confidence: High
2019-04-24 19:47:37.474999 | ubuntu-bionic | Location: docker/ceph/ceph-mon/fetch_ceph_keys.py:53
2019-04-24 19:47:37.475140 | ubuntu-bionic | More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
2019-04-24 19:47:37.475239 | ubuntu-bionic | 52 return {'content': base64.b64encode(zlib.compress(raw_data)),
2019-04-24 19:47:37.475327 | ubuntu-bionic | 53 'sha1': hashlib.sha1(raw_data).hexdigest(),
2019-04-24 19:47:37.475388 | ubuntu-bionic | 54 'filename': filename}

Revision history for this message
Mark Goddard (mgoddard) wrote :

Looks like we're skipping B303, which is why this doesn't fail pep8.

Michal Nasiadka (mnasiadka)
Changed in kolla:
assignee: nobody → Michal Nasiadka (mnasiadka)
Changed in kolla-ansible:
assignee: nobody → Michal Nasiadka (mnasiadka)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/655845

Changed in kolla-ansible:
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in kolla:
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in kolla:
assignee: Michal Nasiadka (mnasiadka) → Marcin Juszkiewicz (hrw)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (master)

Reviewed: https://review.opendev.org/655623
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=0a2dc8aa1d267da3c1c2925b3f292bd96aa50edb
Submitter: Zuul
Branch: master

commit 0a2dc8aa1d267da3c1c2925b3f292bd96aa50edb
Author: Michal Nasiadka <email address hidden>
Date: Thu Apr 25 09:06:28 2019 +0200

    Add sha256 in ceph fetch keys

    fetch_ceph_keys.py is using insecure sha1 function, this patch adds
    sha256 beside sha1 - in order to remove sha1 safely in U release.

    Change-Id: I32ba1abd204c9dba4bbe3132b5650b0e391616af
    Closes-Bug: #1826327

Changed in kolla:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/666082

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/666083

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/666084

Mark Goddard (mgoddard)
Changed in kolla-ansible:
importance: Undecided → Medium
Changed in kolla:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/queens)

Reviewed: https://review.opendev.org/666084
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=7951713790464eedaec1e59851a42febc4acc346
Submitter: Zuul
Branch: stable/queens

commit 7951713790464eedaec1e59851a42febc4acc346
Author: Michal Nasiadka <email address hidden>
Date: Thu Apr 25 09:06:28 2019 +0200

    Add sha256 in ceph fetch keys

    fetch_ceph_keys.py is using insecure sha1 function, this patch adds
    sha256 beside sha1 - in order to remove sha1 safely in U release.

    Change-Id: I32ba1abd204c9dba4bbe3132b5650b0e391616af
    Closes-Bug: #1826327
    (cherry picked from commit 0a2dc8aa1d267da3c1c2925b3f292bd96aa50edb)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/rocky)

Reviewed: https://review.opendev.org/666083
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=8001de09236504b6bfd7aa01ec5657ef0fb2136e
Submitter: Zuul
Branch: stable/rocky

commit 8001de09236504b6bfd7aa01ec5657ef0fb2136e
Author: Michal Nasiadka <email address hidden>
Date: Thu Apr 25 09:06:28 2019 +0200

    Add sha256 in ceph fetch keys

    fetch_ceph_keys.py is using insecure sha1 function, this patch adds
    sha256 beside sha1 - in order to remove sha1 safely in U release.

    Change-Id: I32ba1abd204c9dba4bbe3132b5650b0e391616af
    Closes-Bug: #1826327
    (cherry picked from commit 0a2dc8aa1d267da3c1c2925b3f292bd96aa50edb)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/stein)

Reviewed: https://review.opendev.org/666082
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=ac8609c0f1ebe0a6f87979811f5130286b4e9b18
Submitter: Zuul
Branch: stable/stein

commit ac8609c0f1ebe0a6f87979811f5130286b4e9b18
Author: Michal Nasiadka <email address hidden>
Date: Thu Apr 25 09:06:28 2019 +0200

    Add sha256 in ceph fetch keys

    fetch_ceph_keys.py is using insecure sha1 function, this patch adds
    sha256 beside sha1 - in order to remove sha1 safely in U release.

    Change-Id: I32ba1abd204c9dba4bbe3132b5650b0e391616af
    Closes-Bug: #1826327
    (cherry picked from commit 0a2dc8aa1d267da3c1c2925b3f292bd96aa50edb)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 8.0.0.0rc2

This issue was fixed in the openstack/kolla 8.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/655845
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=ad9e8786a3823895624e892c6a233d16d530d830
Submitter: Zuul
Branch: master

commit ad9e8786a3823895624e892c6a233d16d530d830
Author: Michal Nasiadka <email address hidden>
Date: Fri Apr 26 11:15:57 2019 +0200

    Add support for sha256 in ceph key distribution

    - add support for sha256 in bslurp module
    - change sha1 to sha256 in ceph-mon ansible role

    Depends-On: https://review.opendev.org/655623
    Change-Id: I25e28d150f2a8d4a7f87bb119d9fb1c46cfe926f
    Closes-Bug: #1826327

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 6.2.3

This issue was fixed in the openstack/kolla 6.2.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 7.0.4

This issue was fixed in the openstack/kolla 7.0.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 9.0.0.0rc1

This issue was fixed in the openstack/kolla 9.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 9.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 9.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.