[Openstack-security] [Bug 1348339] Re: Use of weak MD5 algorithm
Jeremy Stanley
fungi at yuggoth.org
Sat Jul 26 00:41:31 UTC 2014
The only current known weakness in MD5 is a hash collision--the ability
for an attacker to pick (with some effort) two inputs which hash to the
same value. In what way do you see this posing a risk to Trove's use of
MD5 for stream validation?
Also, I agree with your bug description calling this out specifically as
a hardening measure, something for which we should not issue a security
advisory.
** Tags added: security
** Information type changed from Public Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1348339
Title:
Use of weak MD5 algorithm
Status in OpenStack Security Advisories:
Won't Fix
Status in Openstack Database (Trove):
New
Bug description:
The file: trove/trove/guestagent/strategies/storage/swift.py line 54
uses a weak hashing algorithm, MD5. It would be pretty simple
hardening upgrade to use at least hashlib.SHA256.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1348339/+subscriptions
More information about the Openstack-security
mailing list