Open Stack

Something to consider...when a crypto algorithm/function is used for
what is perceived to be a non-crypto use, it introduces a bunch of
baggage and should be part of the overall decision process. Some
organizations are taking a VERY hard line when it comes to the use of
things like MD5, SHA-1, RC4, etc. A generic question gets asked as to
whether the code/application uses certain banned algorithms. If the
answer is "yes" then its use is not permitted within the organization
unless a waiver is approved (may not be an option). In such a scenario,
the person wanting to use the code is put in the position of justifying
the waiver and "accepting" the risks...often considered a career
limiting move. I've also see crypto issues used as a way of down-
selecting choices (vendor, code bases etc.).

It seems prudent to just make this problem go away by replacing MD5 with
SHA-2, especially when we've found it. Coming back later to find these
because of a data breach or other problem can be a massive waste of
time.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1348339

Title:
  Use of weak MD5 algorithm

Status in OpenStack Security Advisories:
  Won't Fix
Status in Openstack Database (Trove):
  Triaged

Bug description:
  The file: trove/trove/guestagent/strategies/storage/swift.py line 54
  uses a weak hashing algorithm, MD5. It would be pretty simple
  hardening upgrade to use at least hashlib.SHA256.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1348339/+subscriptions