From anish2good at yahoo.co.in Fri Dec 1 06:55:54 2017 From: anish2good at yahoo.co.in (Anish) Date: Fri, 1 Dec 2017 06:55:54 +0000 (UTC) Subject: [Openstack-security] Cryptography - Learning References: <1979960034.7695150.1512111354660.ref@mail.yahoo.com> Message-ID: <1979960034.7695150.1512111354660@mail.yahoo.com> Sorry This is not SPAM, thought sharing with this group   Those who are interested in cryptography, they can generate Symmetric& Asymmetric cryptography practically using the site for cryptography covers lots of Encryption & Decryption using all Advanced Algorithms  Note: Don’t use any Production Keys   | Message Digest | Md2,md5,sha,sha-1,sha-512,tiger,whirlpool,gost,ripemd | | Symmetric key Encryption Decryption | AES,DES, DESede , Blowfish Twofish IDEA CAST5 AES/CBC/PKCS5Padding AES/CBC/NoPadding AES/ECB/NoPadding  AES/ECB/PKCS5Padding DES/CBC/NoPadding DES/CBC/PKCS5Padding DES/ECB/NoPadding  DES/ECB/PKCS5Padding DESede/CBC/NoPadding  DESede/CBC/PKCS5Padding  DESede/ECB/PKCS5Padding   | | Bccrypt Calculator | Generate Hash and validate Hash with workload 10,11,12,13,14 | | PBE Encryption /Decryption | PBEWITHMD5ANDDES PBEWITHSHA1ANDRC2_128 PBEWITHMD5ANDTRIPLEDES   | | PGP Key Generation | RSA Keys 1024,2048,4096 Algo: BLOWFISH TWOFISH AES192,258,128 CAST5 TRIPLE_DES   | | RSA Encryption/Decryption | Bit supported 512 1024 2048 4096 | | DH Key Exchange | P&Q Parameter Arrving at Share secret | | Pem Decoder | Supported format CSR CRL CRT PEM PKCS7 | | Self Sign Certs Generation | Generate Self Sign Certificate for Testing | | Test CA Certificate | Generate Test CA Certificate | | Key Store Viewer | View Keystore aliases and export the certificate  in PEM format | | IP Subnet calculator | Generate IP address Range of the Given CIDR | | Ping Locate Ipv4/Ipv6 | Online Ping IPv4/IPv6 | | Ipv6/IPv4 Site Reachability Test | Online curl ipv4/Ipv6 Address | | Encoders/Decoders | URL Encode/Decode Hex To String StringTo Hex Base64 Encode/Decode   | | Various String Functions | Length Reverse Trim Substring Palindrome Many Others |   -- Anish -------------- next part -------------- An HTML attachment was scrubbed... URL: From fungi at yuggoth.org Mon Dec 4 15:28:06 2017 From: fungi at yuggoth.org (Jeremy Stanley) Date: Mon, 04 Dec 2017 15:28:06 -0000 Subject: [Openstack-security] [Bug 1732155] Re: bandit report: use defusedxml to avoid XML attack References: <151065694305.7350.16228969126396748741.malonedeb@soybean.canonical.com> Message-ID: <151240128655.10310.11530424124829629987.malone@wampee.canonical.com> As no objections were raised, I'm triaging this report as a security hardening opportunity now. Thanks! ** Information type changed from Private Security to Public ** Description changed: - This issue is being treated as a potential security risk under embargo. - Please do not make any public mention of embargoed (private) security - vulnerabilities before their coordinated publication by the OpenStack - Vulnerability Management Team in the form of an official OpenStack - Security Advisory. This includes discussion of the bug or associated - fixes in public forums such as mailing lists, code review systems and - bug trackers. Please also avoid private disclosure to other individuals - not already approved for access to this information, and provide this - same reminder to those who are made aware of the issue prior to - publication. All discussion should remain confined to this private bug - report, and any proposed fixes should be added to the bug as - attachments. - - -- - According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. ** Changed in: ossa Status: Incomplete => Won't Fix ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1732155 Title: bandit report: use defusedxml to avoid XML attack Status in Cinder: New Status in OpenStack Security Advisory: Won't Fix Bug description: According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1732155/+subscriptions From 1708122 at bugs.launchpad.net Thu Dec 7 14:37:50 2017 From: 1708122 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 07 Dec 2017 14:37:50 -0000 Subject: [Openstack-security] [Bug 1708122] Fix included in openstack/heat 10.0.0.0b2 References: <150166534782.4172.13585998432019727052.malonedeb@gac.canonical.com> Message-ID: <151265747069.11175.704904564576193140.malone@soybean.canonical.com> This issue was fixed in the openstack/heat 10.0.0.0b2 development milestone. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1708122 Title: Don't return back the sensitive information to user Status in OpenStack Heat: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: We return back the sensitive information to user when some exception happen, for example, when DBError happened, we will return the whole sql statement to user, it's not safe, also we return the traceback to user, it's not necessary. Maybe we can do the same thing like nova and cinder to add an attribute 'safe' for some exceptions to decide whether to return the information like the error message details to user. To manage notifications about this bug go to: https://bugs.launchpad.net/heat/+bug/1708122/+subscriptions From 1737207 at bugs.launchpad.net Fri Dec 8 21:04:06 2017 From: 1737207 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 08 Dec 2017 21:04:06 -0000 Subject: [Openstack-security] [Bug 1737207] Re: Guest admin password and network information is logged at debug if libvirt.inject_partition != -2 References: <151275282506.3764.13107222303228891439.malonedeb@gac.canonical.com> Message-ID: <151276704686.3211.4800991919318303957.malone@gac.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/526772 ** Changed in: nova Status: Triaged => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1737207 Title: Guest admin password and network information is logged at debug if libvirt.inject_partition != -2 Status in OpenStack Compute (nova): In Progress Bug description: When using the libvirt driver and the inject_partition config option is != -2 (disabled), the driver will log the network information and admin password about the guest during disk injection: http://logs.openstack.org/50/524750/1/check/legacy-tempest-dsvm- neutron-full- centos-7/a7f051e/logs/screen-n-cpu.txt.gz#_Dec_04_13_42_41_311316 Dec 04 13:42:41.311316 centos-7-rax-dfw-0001196569 nova-compute[7962]: DEBUG nova.virt.libvirt.driver [None req-80dab566-372b-43d7-88f9-d807cc9cb673 service nova] [instance: 941f8290-5e14-4b53-85c9-c5045de9a067] Checking root disk injection InjectionInfo(network_info=[{"profile": {}, "ovs_interfaceid": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [], "address": "10.1.0.6"}], "version": 4, "meta": {"dhcp_server": "10.1.0.2"}, "dns": [], "routes": [], "cidr": "10.1.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.1.0.1"}}], "meta": {"injected": false, "tenant_id": "77504d716f9d4f38a021cbfa4f0e28ee", "mtu": 1450}, "id": "766bb2bf-e1c0-43b8-8800-5737351e9a03", "label": "tempest-ServersTestJSON-518988576-network"}, "devname": "tap56e5a50e-d3", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true, "datapath_type": "system", "ovs_hybrid_plug": true}, "address": "fa:16:3e:d3:8e:f8", "active": false, "type": "ovs", "id": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "qbg_params": null}], files=[], admin_pass=u'V2^cP#tYp*=UD&7') {{(pid=7962) _inject_data /opt/stack/new/nova/nova/virt/libvirt/driver.py:3115}} Dec 04 13:42:41.314687 centos-7-rax-dfw-0001196569 nova-compute[7962]: DEBUG nova.virt.libvirt.driver [None req-80dab566-372b-43d7-88f9-d807cc9cb673 service nova] [instance: 941f8290-5e14-4b53-85c9-c5045de9a067] Injecting InjectionInfo(network_info=[{"profile": {}, "ovs_interfaceid": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [], "address": "10.1.0.6"}], "version": 4, "meta": {"dhcp_server": "10.1.0.2"}, "dns": [], "routes": [], "cidr": "10.1.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.1.0.1"}}], "meta": {"injected": false, "tenant_id": "77504d716f9d4f38a021cbfa4f0e28ee", "mtu": 1450}, "id": "766bb2bf-e1c0-43b8-8800-5737351e9a03", "label": "tempest-ServersTestJSON-518988576-network"}, "devname": "tap56e5a50e-d3", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true, "datapath_type": "system", "ovs_hybrid_plug": true}, "address": "fa:16:3e:d3:8e:f8", "active": false, "type": "ovs", "id": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "qbg_params": null}], files=[], admin_pass=u'V2^cP#tYp*=UD&7') {{(pid=7962) _inject_data /opt/stack/new/nova/nova/virt/libvirt/driver.py:3146}} This was introduced in Ocata (15.0.0): https://review.openstack.org/#/c/337790/ To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1737207/+subscriptions From 1611171 at bugs.launchpad.net Wed Dec 13 19:54:56 2017 From: 1611171 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 13 Dec 2017 19:54:56 -0000 Subject: [Openstack-security] [Bug 1611171] Fix included in openstack/designate 6.0.0.0b2 References: <20160809015520.22289.87995.malonedeb@soybean.canonical.com> Message-ID: <151319489736.11281.6338136336880123481.malone@soybean.canonical.com> This issue was fixed in the openstack/designate 6.0.0.0b2 development milestone. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1611171 Title: re-runs self via sudo Status in Cinder: Fix Released Status in Designate: Fix Released Status in ec2-api: Fix Released Status in gce-api: Fix Released Status in Manila: In Progress Status in masakari: Fix Released Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) newton series: Fix Committed Status in OpenStack Security Advisory: Won't Fix Status in Rally: Fix Released Bug description: Hello, I'm looking through Designate source code to determine if is appropriate to include in Ubuntu Main. This isn't a full security audit. This looks like trouble: ./designate/cmd/manage.py def main(): CONF.register_cli_opt(category_opt) try: utils.read_config('designate', sys.argv) logging.setup(CONF, 'designate') except cfg.ConfigFilesNotFoundError: cfgfile = CONF.config_file[-1] if CONF.config_file else None if cfgfile and not os.access(cfgfile, os.R_OK): st = os.stat(cfgfile) print(_("Could not read %s. Re-running with sudo") % cfgfile) try: os.execvp('sudo', ['sudo', '-u', '#%s' % st.st_uid] + sys.argv) except Exception: print(_('sudo failed, continuing as if nothing happened')) print(_('Please re-run designate-manage as root.')) sys.exit(2) This is an interesting decision -- if the configuration file is _not_ readable by the user in question, give the executing user complete privileges of the user that owns the unreadable file. I'm not a fan of hiding privilege escalation / modifications in programs -- if a user had recently used sudo and thus had the authentication token already stored for their terminal, this 'hidden' use of sudo may be unexpected and unwelcome, especially since it appears that argv from the first call leaks through to the sudo call. Is this intentional OpenStack style? Or unexpected for you guys too? (Feel free to make this public at your convenience.) Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1611171/+subscriptions From 1732155 at bugs.launchpad.net Sat Dec 16 23:45:29 2017 From: 1732155 at bugs.launchpad.net (OpenStack Infra) Date: Sat, 16 Dec 2017 23:45:29 -0000 Subject: [Openstack-security] [Bug 1732155] Re: bandit report: use defusedxml to avoid XML attack References: <151065694305.7350.16228969126396748741.malonedeb@soybean.canonical.com> Message-ID: <151346792990.11633.7931745401518718235.malone@gac.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/528516 ** Changed in: cinder Status: New => In Progress ** Changed in: cinder Assignee: Jane Lee (lijing) => Sean McGinnis (sean-mcginnis) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1732155 Title: bandit report: use defusedxml to avoid XML attack Status in Cinder: In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1732155/+subscriptions From tdecacqu at redhat.com Mon Dec 18 00:50:50 2017 From: tdecacqu at redhat.com (Tristan Cacqueray) Date: Mon, 18 Dec 2017 00:50:50 -0000 Subject: [Openstack-security] [Bug 1711117] Re: paste_deploy flavor in sample configuration file shows misleading default References: <150288400998.8690.1208903786666789257.malonedeb@soybean.canonical.com> Message-ID: <151355825099.9602.5720129276106297701.launchpad@gac.canonical.com> ** Also affects: ossn Importance: Undecided Status: New -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1711117 Title: paste_deploy flavor in sample configuration file shows misleading default Status in Glance: New Status in OpenStack Security Advisory: Won't Fix Status in OpenStack Security Notes: New Bug description: The "flavor" option of the "[paste_deploy]" section defaults to "None", but the sample configuration and documentation [1] suggests that it is "keystone". This can lead to unsecure deployments without authentication. The "glance-api.conf" file shows the following:     #     # Deployment flavor to use in the server application pipeline.     #     # Provide a string value representing the appropriate deployment     # flavor used in the server application pipleline. This is typically     # the partial name of a pipeline in the paste configuration file with     # the service name removed.     #     # For example, if your paste section name in the paste configuration     # file is [pipeline:glance-api-keystone], set ``flavor`` to     # ``keystone``.     #     # Possible values:     # * String value representing a partial pipeline name.     #     # Related Options:     # * config_file     #     # (string value)     #flavor = keystone This is misleading and can lead operators to think that the default flavor being used is "keystone", but this is not the case:     DEBUG glance.common.config [-] paste_deploy.flavor = None log_opt_values /usr/lib/python2.7/dist- packages/oslo_config/cfg.py:2626 Previously, in Mitaka, the flavor was defined something like this:     # Partial name of a pipeline in your paste configuration file with the     # service name removed. For example, if your paste section name is     # [pipeline:glance-api-keystone] use the value "keystone" (string     # value)     #flavor = Therefore, somebody upgrading from a previous version would think that the default is now set to "keystone" instead of "None". In such cases the operator could remove the "flavor=keystone" definition, assuming that the default value is correct. Moreover, the configuration reference states that the default is "keystone" [1], but this is not the case as the option does not set a default vale, but a sample default [2] [1] https://docs.openstack.org/glance/latest/configuration/glance_api.html#paste_deploy [2] https://github.com/openstack/glance/blob/c4b0fbe632f759b00a1c326c17a05f134e93553d/glance/common/config.py#L33 Taking into account that if the flavor for paste is not set this will lead to a deployment without authentication. If the sample default is different from the actual default, this should be stated clearly in the comment for that option. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1711117/+subscriptions From 1653626 at bugs.launchpad.net Mon Dec 18 16:16:03 2017 From: 1653626 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 18 Dec 2017 16:16:03 -0000 Subject: [Openstack-security] [Bug 1653626] Change abandoned on cinder (master) References: <20170103081148.1756.73437.malonedeb@chaenomeles.canonical.com> Message-ID: <151361376355.17869.3165886824973894295.malone@soybean.canonical.com> Change abandoned by Eric Harney (eharney at redhat.com) on branch: master Review: https://review.openstack.org/416236 Reason: In merge conflict since July -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1653626 Title: IBM User tries to communicate with CoprHD securely, but fails to do so Status in Cinder: In Progress Bug description: An IBM user wanted to communicate with our backend CoprHD driver using certificate. But right now, there is not provision to do so. CoprHD should provide an option in config to perform all operations (REST API calls) using certificate verification. Both CA signed and self-signed certificates should be supported. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1653626/+subscriptions From 1732155 at bugs.launchpad.net Tue Dec 19 01:08:25 2017 From: 1732155 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 19 Dec 2017 01:08:25 -0000 Subject: [Openstack-security] [Bug 1732155] Fix merged to cinder (master) References: <151065694305.7350.16228969126396748741.malonedeb@soybean.canonical.com> Message-ID: <151364570565.16639.17657818709479898836.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/528516 Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=4137c33922051546d45b6c9aa730433a401e3df1 Submitter: Zuul Branch: master commit 4137c33922051546d45b6c9aa730433a401e3df1 Author: Sean McGinnis Date: Sat Dec 16 17:38:41 2017 -0600 Use defusedxml for XML parsing The built-in xml module has some vulnerabilities to several known XML attacks. While the chances of this are limited with the way it is being used by some of the volume drivers, it is still a security risk that has been identified and has a mostly painless way to be mitigated with the defusedxml package [1]. There are still some drivers performing XML parsing that are not covered by this patch. They need closer analysis to see how to best switch to the defusedxml equivalents. This patch covers the instances where it was a mostly drop in and replace from the native xml functionality to the defusedxml alternatives. [1] https://github.com/tiran/defusedxml/blob/master/README.md Change-Id: I083fc23eab6f712264919a250c6fb57cc0f6a11b Partial-bug: #1732155 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1732155 Title: bandit report: use defusedxml to avoid XML attack Status in Cinder: In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1732155/+subscriptions