yahoo-eng-team team mailing list archive

[OpenStack Infra <1588064@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/324104
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=b2b801b3457f1f9d7625add75f2b52057cbbbb6c
Submitter: Jenkins
Branch:    master

commit b2b801b3457f1f9d7625add75f2b52057cbbbb6c
Author: Matt Borland <matt.borland@xxxxxxx>
Date:   Wed Jun 1 15:08:12 2016 -0600

    Add warning when falling back to insecure key generation
    
    When secret_key.py generates the key, it silently regresses when
    SystemRandom isn't present.  We need the reversion for non-production
    environments, but we need to warn in environments when SystemRandom isn't
    being used.  See the bug report for more details.
    
    Change-Id: Ibed0a41d377317db9bdfa1c9a277eb70691172e7
    Closes-Bug: 1588064


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1588064

Title:
  secret_key.py doesn't warn when reverting to insecure key generation

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  secret_key.py is used to generate a 64-bit key used by Django; however
  when it cannot find the 'SystemRandom' extension to the 'random'
  package it reverts to a generator that is, by documentation, not
  secure cryptographically.  Witness:

  https://docs.python.org/2/library/random.html

  Reverting to the generator without leaving a warning is a hazard from
  a system security perspective.  We should log at WARN that there is a
  possible security issue in the configuration.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1588064/+subscriptions