Actions
Bug #23128
closed
Deface uses MD5 and doesn't work in FIPS-enable environment
Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Difficulty:
Triaged:
No
Description
How to reproduce:
1. install a plugin that uses deface (e.g. katello, foreman_remote_execution…)
2. use the web server or call `rake apipie:cache:index`
Results:
MD5 is used by deface with the following backtrace:
| /opt/theforeman/tfm/root/usr/share/gems/gems/deface-1.2.0/lib/deface/action_view_extensions.rb:55:in `method_name' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/template.rb:157:in `block in render' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activesupport-5.1.4/lib/active_support/notifications.rb:168:in `instrument' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/template.rb:352:in `instrument_render_template' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/template.rb:155:in `render' | /opt/theforeman/tfm/root/usr/share/gems/gems/deface-1.2.0/lib/deface/action_view_extensions.rb:41:in `render' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/template_renderer.rb:64:in `render_with_layout' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/template_renderer.rb:50:in `render_template' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/template_renderer.rb:14:in `render' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/renderer.rb:42:in `render_template' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/renderer.rb:23:in `render' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/helpers/rendering_helper.rb:32:in `render' | /opt/theforeman/tfm/root/usr/share/gems/gems/apipie-rails-0.5.6/lib/tasks/apipie.rake:121:in `block in render_page'
Updated by Ivan Necas almost 7 years ago
- Blocks Feature #3511: As a security person, I would like Foreman to run in FIPS mode added
Updated by Anonymous almost 7 years ago
- Status changed from New to Assigned
- Assignee set to Anonymous
Updated by Anonymous almost 7 years ago
Opened a PR upstream: https://github.com/spree/deface/pull/180
Updated by Anonymous over 6 years ago
The PR has been merged, new release is pending.
Updated by Ivan Necas over 6 years ago
Additional patch from testing https://github.com/spree/deface/pull/183
Updated by Ewoud Kohl van Wijngaarden over 6 years ago
- Subject changed from Deface uses MD5 and doesn't work in FIPS-enable envrionment to Deface uses MD5 and doesn't work in FIPS-enable environment
- Status changed from Assigned to New
- Assignee deleted (
Anonymous)
Updated by Ivan Necas over 6 years ago
- Blocked by Feature #22119: Replace MD5 hashes with SHA added
Updated by Ivan Necas over 6 years ago
- Pull request https://github.com/theforeman/foreman-packaging/pull/3044 added
New deface to support this properly has been just released
Updated by Anonymous over 6 years ago
- Status changed from New to Resolved
- Fixed in Releases 1.20.0 added
RPMs and DEBs got updated.
Updated by
Actions