*** This bug is a security vulnerability *** Public security bug reported:
Glance populates a legacy 'checksum' image property which is an md5 hash of image data content. It's a "legacy" property because it has not been required for the validation of downloaded image data since glance version 17.0.0 (Rocky) when the operator-configurable secure "multihash" was implemented. However, the 'checksum' property has continued to be populated for backward compatibility. In order to populate the field, even as a courtesy, an implementation of the md5 algorithm must be available to glance; but this cannot be guaranteed in environments that comply with various security standards (for example, FIPS). As a result, there are environments in which glance cannot be run, and of course, these are most likely exactly the environments in which people want to run glance. To remove the dependency on the insecure MD5 algorithm, glance should stop populating the legacy 'checksum' field. It has already been made redundant by the secure "multihash" and is unnecessary. In order to preserve backward compatibility, the field will not be removed. As a timeframe for fixing this: an announcement can be made to operators as part of the Ussuri release, and code using md5 will be removed during the Victoria development cycle. Thus the Victoria release will not require Glance to be executed in a non-compliant security environment. ** Affects: glance Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1875439 Title: glance requires md5 implementation be available Status in Glance: New Bug description: Glance populates a legacy 'checksum' image property which is an md5 hash of image data content. It's a "legacy" property because it has not been required for the validation of downloaded image data since glance version 17.0.0 (Rocky) when the operator-configurable secure "multihash" was implemented. However, the 'checksum' property has continued to be populated for backward compatibility. In order to populate the field, even as a courtesy, an implementation of the md5 algorithm must be available to glance; but this cannot be guaranteed in environments that comply with various security standards (for example, FIPS). As a result, there are environments in which glance cannot be run, and of course, these are most likely exactly the environments in which people want to run glance. To remove the dependency on the insecure MD5 algorithm, glance should stop populating the legacy 'checksum' field. It has already been made redundant by the secure "multihash" and is unnecessary. In order to preserve backward compatibility, the field will not be removed. As a timeframe for fixing this: an announcement can be made to operators as part of the Ussuri release, and code using md5 will be removed during the Victoria development cycle. Thus the Victoria release will not require Glance to be executed in a non-compliant security environment. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1875439/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp