Reviewed: https://review.openstack.org/324104
Committed:
https://git.openstack.org/cgit/openstack/horizon/commit/?id=b2b801b3457f1f9d7625add75f2b52057cbbbb6c
Submitter: Jenkins
Branch: master
commit b2b801b3457f1f9d7625add75f2b52057cbbbb6c
Author: Matt Borland <matt.borl...@hpe.com>
Date: Wed Jun 1 15:08:12 2016 -0600
Add warning when falling back to insecure key generation
When secret_key.py generates the key, it silently regresses when
SystemRandom isn't present. We need the reversion for non-production
environments, but we need to warn in environments when SystemRandom isn't
being used. See the bug report for more details.
Change-Id: Ibed0a41d377317db9bdfa1c9a277eb70691172e7
Closes-Bug: 1588064
** Changed in: horizon
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1588064
Title:
secret_key.py doesn't warn when reverting to insecure key generation
Status in OpenStack Dashboard (Horizon):
Fix Released
Bug description:
secret_key.py is used to generate a 64-bit key used by Django; however
when it cannot find the 'SystemRandom' extension to the 'random'
package it reverts to a generator that is, by documentation, not
secure cryptographically. Witness:
https://docs.python.org/2/library/random.html
Reverting to the generator without leaving a warning is a hazard from
a system security perspective. We should log at WARN that there is a
possible security issue in the configuration.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1588064/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
