Dear Ryu Developers, During preliminary tests of the software security we discovered the following findings reported by source code analyzers. Could you confirm that these issues have been already fixed or will be resolved in any coming versions. 1. TCP-MD5 usage (https://github.com/faucetsdn/ryu/blob/v4.34/ryu/lib/sockopt.py#L54) - SHA-256 and SHA3 are recommended. However, the performance of a SHA-256 hash is about 20-30% slower to calculate than either MD5 or SHA-1 hashes. Has anyone noticed to suffer from this limitation? 2. there are a set of vulnerabilities related to SQLAlchemy component. They concern version 1.2.17 but are still reported. Are they also valid for current version 1.4.7? 2a. SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled (CVE-2019-7548). 2b. SQLAlchemy1 through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter (CVE-2019-7164). 2c. Multiple SQL injection vulnerabilities in SQLAlchemy1 before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset keyword to the select function, or unspecified vectors to the (3) select.limit or (4) select.offset function (CVE-2012-0805). 3. check SSL Certificate Fingerprint (https://github.com/faucetsdn/ryu/blob/v4.34/ryu/services/protocols/ovsdb/manager.py#L82) - is the verification of SSL Certificate Fingerprint still missing?
-- Thank you in advance. _______________________________________________ Ryu-devel mailing list Ryu-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ryu-devel
