*** This bug is a security vulnerability ***
Public security bug reported:
PW_SET = (''.join([x for x in ascii_letters + digits
if x not in 'loLOI01']))
def rand_user_password(pwlen=9):
return util.rand_str(pwlen, select_from=PW_SET)
len(PW_SET) is 55
log_2(55^20) is 115 bits, which is above 112, which matches the default OpenSSL
SECLEVEL=2 setting in focal fossa.
Please bump PW_SET to 20, as 9 is crackable (provides 52 bits of
security which is less than SECLEVEL 0).
As I'm about to use this on a mainframe, which by definition can crack
that.
** Affects: cloud-init (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1860795
Title:
cc_set_passwords is too short for RANDOM
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
