This feels like an interesting security strengthening, but I'm not sure there currently is an exploitable vulnerability here, so no need for a security advisory ?
** Changed in: ossa Status: New => Incomplete ** Also affects: nova Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1368074 Title: [Security-NIST]nova/virt/disk/api.py does not fit the NIST Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Incomplete Bug description: def _generate_salt(): salt_set = ('abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' '0123456789./') salt = 16 * ' ' return ''.join([random.choice(salt_set) for c in salt]) The function generates the random string as a key for encryption. As the random is a lib for generating pseudo-random number So it does not match the NIST stand To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1368074/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp