OpenStack Identity (keystone)

Use SystemRandom rather than random

Bug #1424089 reported by Brant Knudson on 2015-02-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Brant Knudson	OpenStack Identity (keystone) 2015.1.0 "kilo"
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

SystemRandom should be preferred over direct use of random.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-20: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/157990

Changed in keystone:
status:	New → In Progress

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-02-20:

The patch says security hardening (which I think it probably is), making it class D (or maybe C1) in our incident report taxonomy. https://wiki.openstack.org/wiki/Vulnerability_Management#Incident_report_taxonomy

If you agree, we should switch the bug type from public security to public (and maybe add the "security" bug tag instead).

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Thierry Carrez (ttx) wrote on 2015-02-23:

Agree on class D - hardening.

Tristan Cacqueray (tristan-cacqueray) on 2015-02-23

Changed in ossa:
status:	Incomplete → Won't Fix

Jeremy Stanley (fungi) on 2015-02-23

information type:	Public Security → Public
tags:	added: security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-26: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/157990
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2990953cd65b7deccfa48b54e4bb4c65480eb25e
Submitter: Jenkins
Branch: master

commit 2990953cd65b7deccfa48b54e4bb4c65480eb25e
Author: Brant Knudson <email address hidden>
Date: Fri Feb 20 16:50:08 2015 -0600

Change use of random to random.SystemRandom

    There's no reason to use random directly unless the code really
    requires a pseudo-random number generator. This is for security
    hardening.

SecImpact
Closes-Bug: 1424089

Change-Id: I2eb0c78af230026de9139363bc05e453d581a700

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
milestone:	none → kilo-3
status:	Fix Committed → Fix Released

Dolph Mathews (dolph) on 2015-04-29

Changed in keystone:
importance:	Undecided → Medium

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.