yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #82440
[Bug 1875439] Re: glance requires md5 implementation be available
Given this is only being fixed in master, and is also not in itself a
vulnerability, I don't think we'll need a formal security advisory and
CVE assignment. This is probably most accurately classified as a
security hardening opportunity (report class D in the VMT's taxonomy):
https://security.openstack.org/vmt-process.html#incident-report-taxonomy
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New => Won't Fix
** Information type changed from Public Security to Public
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1875439
Title:
glance requires md5 implementation be available
Status in Glance:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Glance populates a legacy 'checksum' image property which is an md5
hash of image data content. It's a "legacy" property because it has
not been required for the validation of downloaded image data since
glance version 17.0.0 (Rocky) when the operator-configurable secure
"multihash" was implemented. However, the 'checksum' property has
continued to be populated for backward compatibility. In order to
populate the field, even as a courtesy, an implementation of the md5
algorithm must be available to glance; but this cannot be guaranteed
in environments that comply with various security standards (for
example, FIPS). As a result, there are environments in which glance
cannot be run, and of course, these are most likely exactly the
environments in which people want to run glance.
To remove the dependency on the insecure MD5 algorithm, glance should
stop populating the legacy 'checksum' field. It has already been made
redundant by the secure "multihash" and is unnecessary. In order to
preserve backward compatibility, the field will not be removed.
As a timeframe for fixing this: an announcement can be made to
operators as part of the Ussuri release, and code using md5 will be
removed during the Victoria development cycle. Thus the Victoria
release will not require Glance to be executed in a non-compliant
security environment.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1875439/+subscriptions
References