yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #51798
[Bug 1588064] [NEW] secret_key.py doesn't warn when reverting to insecure key generation
Public bug reported:
secret_key.py is used to generate a 64-bit key used by Django; however
when it cannot find the 'SystemRandom' extension to the 'random' package
it reverts to a generator that is, by documentation, not secure
cryptographically. Witness:
https://docs.python.org/2/library/random.html
Reverting to the generator without leaving a warning is a hazard from a
system security perspective. We should log at WARN that there is a
possible security issue in the configuration.
** Affects: horizon
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1588064
Title:
secret_key.py doesn't warn when reverting to insecure key generation
Status in OpenStack Dashboard (Horizon):
New
Bug description:
secret_key.py is used to generate a 64-bit key used by Django; however
when it cannot find the 'SystemRandom' extension to the 'random'
package it reverts to a generator that is, by documentation, not
secure cryptographically. Witness:
https://docs.python.org/2/library/random.html
Reverting to the generator without leaving a warning is a hazard from
a system security perspective. We should log at WARN that there is a
possible security issue in the configuration.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1588064/+subscriptions
Follow ups