← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1588064] [NEW] secret_key.py doesn't warn when reverting to insecure key generation

 

Public bug reported:

secret_key.py is used to generate a 64-bit key used by Django; however
when it cannot find the 'SystemRandom' extension to the 'random' package
it reverts to a generator that is, by documentation, not secure
cryptographically.  Witness:

https://docs.python.org/2/library/random.html

Reverting to the generator without leaving a warning is a hazard from a
system security perspective.  We should log at WARN that there is a
possible security issue in the configuration.

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1588064

Title:
  secret_key.py doesn't warn when reverting to insecure key generation

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  secret_key.py is used to generate a 64-bit key used by Django; however
  when it cannot find the 'SystemRandom' extension to the 'random'
  package it reverts to a generator that is, by documentation, not
  secure cryptographically.  Witness:

  https://docs.python.org/2/library/random.html

  Reverting to the generator without leaving a warning is a hazard from
  a system security perspective.  We should log at WARN that there is a
  possible security issue in the configuration.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1588064/+subscriptions


Follow ups