[Openstack-security] [openstack/glance] SecurityImpact review request change I9236cc85f4e9881ac1aa35d69bc6761a59c1b6c8
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Tue Jan 20 20:45:32 UTC 2015
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/80178
Log:
commit e8822691ef8ece3c579e7224d399fd5579977cb2
Author: Fei Long Wang <flwang at cn.ibm.com>
Date: Thu Mar 13 13:30:05 2014 +0800
Make digest algorithm configurable
It would be great to enhance Glance to use minimum of SHA2
to do digital signature for FIPS compliance. Since in
FIPS(FEDERAL INFORMATION PROCESSING STANDARDS) says the
SHA-1 is not suitable for general-purpose digital signature
applications (as specified in FIPS 186-3) that require 112
bits of security. In the case of digital signatures, SHA-1
does not provide the 112 bits of collision resistance needed
to achieve the security strength.
Now we're using hardcode 'sha1'. So this patch will make it
configurable firstly and set the default value as sha1 in
Kilo for smooth upgrade, which will be changed with sha256
in next release(L).
DocImpact
UpgradeImapact
SecurityImpact
Closes-Bug: #1288545
Change-Id: I9236cc85f4e9881ac1aa35d69bc6761a59c1b6c8
More information about the Openstack-security
mailing list