fetch_ceph_keys.py uses insecure sha1 function

Bug #1826327 reported by Michal Nasiadka on 2019-04-25
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Status tracked in Train
Queens
Medium
Unassigned
Rocky
Medium
Unassigned
Stein
Medium
Unassigned
Train
Medium
Marcin Juszkiewicz
kolla-ansible
Status tracked in Train
Queens
Undecided
Unassigned
Rocky
Undecided
Unassigned
Stein
Undecided
Unassigned
Train
Medium
Michal Nasiadka

Bug Description

Bandit test results:

2019-04-24 19:47:37.474705 | ubuntu-bionic | Test results:
2019-04-24 19:47:37.474825 | ubuntu-bionic | >> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
2019-04-24 19:47:37.474900 | ubuntu-bionic | Severity: Medium Confidence: High
2019-04-24 19:47:37.474999 | ubuntu-bionic | Location: docker/ceph/ceph-mon/fetch_ceph_keys.py:53
2019-04-24 19:47:37.475140 | ubuntu-bionic | More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
2019-04-24 19:47:37.475239 | ubuntu-bionic | 52 return {'content': base64.b64encode(zlib.compress(raw_data)),
2019-04-24 19:47:37.475327 | ubuntu-bionic | 53 'sha1': hashlib.sha1(raw_data).hexdigest(),
2019-04-24 19:47:37.475388 | ubuntu-bionic | 54 'filename': filename}

Mark Goddard (mgoddard) wrote :

Looks like we're skipping B303, which is why this doesn't fail pep8.

Changed in kolla:
assignee: nobody → Michal Nasiadka (mnasiadka)
Changed in kolla-ansible:
assignee: nobody → Michal Nasiadka (mnasiadka)

Fix proposed to branch: master
Review: https://review.opendev.org/655845

Changed in kolla-ansible:
status: New → In Progress
Changed in kolla:
status: New → In Progress
Changed in kolla:
assignee: Michal Nasiadka (mnasiadka) → Marcin Juszkiewicz (hrw)

Reviewed: https://review.opendev.org/655623
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=0a2dc8aa1d267da3c1c2925b3f292bd96aa50edb
Submitter: Zuul
Branch: master

commit 0a2dc8aa1d267da3c1c2925b3f292bd96aa50edb
Author: Michal Nasiadka <email address hidden>
Date: Thu Apr 25 09:06:28 2019 +0200

    Add sha256 in ceph fetch keys

    fetch_ceph_keys.py is using insecure sha1 function, this patch adds
    sha256 beside sha1 - in order to remove sha1 safely in U release.

    Change-Id: I32ba1abd204c9dba4bbe3132b5650b0e391616af
    Closes-Bug: #1826327

Changed in kolla:
status: In Progress → Fix Released
Mark Goddard (mgoddard) on 2019-06-19
Changed in kolla-ansible:
importance: Undecided → Medium
Changed in kolla:
importance: Undecided → Medium

Reviewed: https://review.opendev.org/666084
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=7951713790464eedaec1e59851a42febc4acc346
Submitter: Zuul
Branch: stable/queens

commit 7951713790464eedaec1e59851a42febc4acc346
Author: Michal Nasiadka <email address hidden>
Date: Thu Apr 25 09:06:28 2019 +0200

    Add sha256 in ceph fetch keys

    fetch_ceph_keys.py is using insecure sha1 function, this patch adds
    sha256 beside sha1 - in order to remove sha1 safely in U release.

    Change-Id: I32ba1abd204c9dba4bbe3132b5650b0e391616af
    Closes-Bug: #1826327
    (cherry picked from commit 0a2dc8aa1d267da3c1c2925b3f292bd96aa50edb)

Reviewed: https://review.opendev.org/666083
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=8001de09236504b6bfd7aa01ec5657ef0fb2136e
Submitter: Zuul
Branch: stable/rocky

commit 8001de09236504b6bfd7aa01ec5657ef0fb2136e
Author: Michal Nasiadka <email address hidden>
Date: Thu Apr 25 09:06:28 2019 +0200

    Add sha256 in ceph fetch keys

    fetch_ceph_keys.py is using insecure sha1 function, this patch adds
    sha256 beside sha1 - in order to remove sha1 safely in U release.

    Change-Id: I32ba1abd204c9dba4bbe3132b5650b0e391616af
    Closes-Bug: #1826327
    (cherry picked from commit 0a2dc8aa1d267da3c1c2925b3f292bd96aa50edb)

Reviewed: https://review.opendev.org/666082
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=ac8609c0f1ebe0a6f87979811f5130286b4e9b18
Submitter: Zuul
Branch: stable/stein

commit ac8609c0f1ebe0a6f87979811f5130286b4e9b18
Author: Michal Nasiadka <email address hidden>
Date: Thu Apr 25 09:06:28 2019 +0200

    Add sha256 in ceph fetch keys

    fetch_ceph_keys.py is using insecure sha1 function, this patch adds
    sha256 beside sha1 - in order to remove sha1 safely in U release.

    Change-Id: I32ba1abd204c9dba4bbe3132b5650b0e391616af
    Closes-Bug: #1826327
    (cherry picked from commit 0a2dc8aa1d267da3c1c2925b3f292bd96aa50edb)

This issue was fixed in the openstack/kolla 8.0.0.0rc2 release candidate.

Reviewed: https://review.opendev.org/655845
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=ad9e8786a3823895624e892c6a233d16d530d830
Submitter: Zuul
Branch: master

commit ad9e8786a3823895624e892c6a233d16d530d830
Author: Michal Nasiadka <email address hidden>
Date: Fri Apr 26 11:15:57 2019 +0200

    Add support for sha256 in ceph key distribution

    - add support for sha256 in bslurp module
    - change sha1 to sha256 in ceph-mon ansible role

    Depends-On: https://review.opendev.org/655623
    Change-Id: I25e28d150f2a8d4a7f87bb119d9fb1c46cfe926f
    Closes-Bug: #1826327

Changed in kolla-ansible:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers