OpenStackKeyring's encryption code does not provide confidentiality
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
python-openstackclient |
Fix Released
|
High
|
Dean Troyer |
Bug Description
The keying used for the block cipher in the keyring code (https:/
As an aside, this code also assumes that PyCrypto provides a default IV (which is bad), however this is no longer true in more recent PyCryptos; to me this indicates that this code probably isn't used (since the requirements.txt doesn't pin the version) and thus should be removed rather than rehabilitated.
information type: | Private Security → Public |
Changed in python-openstackclient: | |
milestone: | none → m5 |
Changed in python-openstackclient: | |
status: | Fix Committed → Fix Released |
python- openstackclient is not an official project nor is it supported by the OpenStack Vulnerability Management Team, so this won't result in a OSSA. This still very much needs to be fixed, though ! (especially as openstackclient would like to become official, and therefore probably supported, one day)