[Openstack-security] [Bug 1348339] Re: Use of weak MD5 algorithm
Jeremy Stanley
fungi at yuggoth.org
Mon Jul 28 18:39:59 UTC 2014
Right, so risky in places where collision and chosen-prefix attacks can
be mounted... just trying to ascertain whether the static analysis which
highlighted this bug identified an exploitable security vulnerability or
just another hardening opportunity. Sounds like the latter.
It's worth noting however that similar issues were just pointed out
yesterday in rsync (it uses MD5 for identifying alterations to blocks
rather than stream integrity, but perhaps a tangentially similar problem
space?). http://openwall.com/lists/oss-
security/2014/07/28/1http://openwall.com/lists/oss-security/2014/07/28/1
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1348339
Title:
Use of weak MD5 algorithm
Status in OpenStack Security Advisories:
Won't Fix
Status in Openstack Database (Trove):
Triaged
Bug description:
The file: trove/trove/guestagent/strategies/storage/swift.py line 54
uses a weak hashing algorithm, MD5. It would be pretty simple
hardening upgrade to use at least hashlib.SHA256.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1348339/+subscriptions
More information about the Openstack-security
mailing list