yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1368074] Re: [Security-NIST]nova/virt/disk/api.py does not fit the NIST

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 11 Sep 2014 12:26:21 -0000
Reply-to: Bug 1368074 <1368074@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This feels like an interesting security strengthening, but I'm not sure
there currently is an exploitable vulnerability here, so no need for a
security advisory ?

** Changed in: ossa
       Status: New => Incomplete

** Also affects: nova
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1368074

Title:
  [Security-NIST]nova/virt/disk/api.py does not fit the NIST

Status in OpenStack Compute (Nova):
  New
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  def _generate_salt():
      salt_set = ('abcdefghijklmnopqrstuvwxyz'
                  'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
                  '0123456789./')
      salt = 16 * ' '
      return ''.join([random.choice(salt_set) for c in salt])

  The function generates the random string as a key for encryption.
  As the random is a lib for generating pseudo-random number
  So it does not match the NIST stand

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1368074/+subscriptions

yahoo-eng-team team mailing list archive

[Bug 1368074] Re: ﻿[Security-NIST]﻿nova/virt/disk/api.py does not fit the NIST

[Bug 1368074] Re: [Security-NIST]nova/virt/disk/api.py does not fit the NIST