** Information type changed from Private Security to Public ** Changed in: ossa Status: Incomplete => Invalid
** Tags added: security -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1246158 Title: randint method brings potential security issue Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Invalid Bug description: In the /keystone/contrib/oauth1/backends/sql.py, line 210, the source code is below token_dict['verifier'] = str(random.randint(1000, 9999)) This code is using randint method to generate a random number, Standard random number generators should not be used to generate randomness used for security reasons. For security sensitive randomness a crytographic randomness generator that provides sufficient entropy should be used. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1246158/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp