[Openstack-security] [Bug 1319643] Re: Using random.random() should not be used to generate randomness used for security reasons
OpenStack Infra
1319643 at bugs.launchpad.net
Thu Jun 5 19:30:55 UTC 2014
Reviewed: https://review.openstack.org/96738
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=6791fa41e06beab23bc7832a3bfa9ab28adf1e34
Submitter: Jenkins
Branch: master
commit 6791fa41e06beab23bc7832a3bfa9ab28adf1e34
Author: Ollie Leahy <oliver.leahy at hp.com>
Date: Fri May 30 11:57:02 2014 +0000
Use os.urandom in volume transfer
This patch replaces a call to random.random() with a call to
os.urandom(), which generates a higher quality random number.
Closes-Bug: #1319643
Change-Id: Ifaa2216d4905f5286884629beac52b25249d621f
** Changed in: cinder
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1319643
Title:
Using random.random() should not be used to generate randomness used
for security reasons
Status in Cinder:
Fix Committed
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
In cinder code : /cinder/transfer/api.py . Below line of code used
random.random() to generate a random number, Standard random number
generators should not be used to generate randomness used for security
reasons. Could we use a crytographic randomness generator to provide
sufficient entropy to instead of it?
rndstr = ""
random.seed(datetime.datetime.now().microsecond)
while len(rndstr) < length:
rndstr += hashlib.sha224(str(random.random())).hexdigest() ---------------> This line has described issues.
return rndstr[0:length]
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1319643/+subscriptions
More information about the Openstack-security
mailing list