[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1875439] Re: glance requires md5 implementation be available

I forgot to mention that I agree with Jeremy's assessment of this as
class D.  An OSSN during Victoria is a good idea; people for whom this
is a problem may wish to plan ahead to upgrade their clouds.

** Changed in: glance
       Status: New => Triaged

** Changed in: glance
   Importance: Undecided => High

You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.

  glance requires md5 implementation be available

Status in Glance:
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Glance populates a legacy 'checksum' image property which is an md5
  hash of image data content.  It's a "legacy" property because it has
  not been required for the validation of downloaded image data since
  glance version 17.0.0 (Rocky) when the operator-configurable secure
  "multihash" was implemented.  However, the 'checksum' property has
  continued to be populated for backward compatibility.  In order to
  populate the field, even as a courtesy, an implementation of the md5
  algorithm must be available to glance; but this cannot be guaranteed
  in environments that comply with various security standards (for
  example, FIPS).  As a result, there are environments in which glance
  cannot be run, and of course, these are most likely exactly the
  environments in which people want to run glance.

  To remove the dependency on the insecure MD5 algorithm, glance should
  stop populating the legacy 'checksum' field.  It has already been made
  redundant by the secure "multihash" and is unnecessary.  In order to
  preserve backward compatibility, the field will not be removed.

  As a timeframe for fixing this: an announcement can be made to
  operators as part of the Ussuri release, and code using md5 will be
  removed during the Victoria development cycle.  Thus the Victoria
  release will not require Glance to be executed in a non-compliant
  security environment.

To manage notifications about this bug go to: