Bug #23128
Deface uses MD5 and doesn't work in FIPS-enable environment
Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Fixed in Releases:
Found in Releases:
Description
How to reproduce:
1. install a plugin that uses deface (e.g. katello, foreman_remote_execution…)
2. use the web server or call `rake apipie:cache:index`
Results:
MD5 is used by deface with the following backtrace:
| /opt/theforeman/tfm/root/usr/share/gems/gems/deface-1.2.0/lib/deface/action_view_extensions.rb:55:in `method_name' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/template.rb:157:in `block in render' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activesupport-5.1.4/lib/active_support/notifications.rb:168:in `instrument' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/template.rb:352:in `instrument_render_template' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/template.rb:155:in `render' | /opt/theforeman/tfm/root/usr/share/gems/gems/deface-1.2.0/lib/deface/action_view_extensions.rb:41:in `render' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/template_renderer.rb:64:in `render_with_layout' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/template_renderer.rb:50:in `render_template' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/template_renderer.rb:14:in `render' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/renderer.rb:42:in `render_template' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/renderer.rb:23:in `render' | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/helpers/rendering_helper.rb:32:in `render' | /opt/theforeman/tfm/root/usr/share/gems/gems/apipie-rails-0.5.6/lib/tasks/apipie.rake:121:in `block in render_page'
Related issues
History
#1
Updated by Ivan Necas about 4 years ago
- Blocks Feature #3511: As a security person, I would like Foreman to run in FIPS mode added
#2
Updated by Dmitri Dolguikh about 4 years ago
- Assignee set to Dmitri Dolguikh
- Status changed from New to Assigned
#3
Updated by Dmitri Dolguikh about 4 years ago
Opened a PR upstream: https://github.com/spree/deface/pull/180
#4
Updated by Dmitri Dolguikh about 4 years ago
The PR has been merged, new release is pending.
#5
Updated by Ivan Necas about 4 years ago
Additional patch from testing https://github.com/spree/deface/pull/183
#6
Updated by Ewoud Kohl van Wijngaarden over 3 years ago
- Assignee deleted (
Dmitri Dolguikh) - Status changed from Assigned to New
- Subject changed from Deface uses MD5 and doesn't work in FIPS-enable envrionment to Deface uses MD5 and doesn't work in FIPS-enable environment
#7
Updated by Ivan Necas over 3 years ago
- Blocked by Feature #22119: Replace MD5 hashes with SHA added
#8
Updated by Ivan Necas over 3 years ago
- Pull request https://github.com/theforeman/foreman-packaging/pull/3044 added
New deface to support this properly has been just released
#9
Updated by Anonymous over 3 years ago
- Status changed from New to Resolved
- Fixed in Releases 1.20.0 added
RPMs and DEBs got updated.
#10
Updated by Tomer Brisker over 3 years ago
- Category set to Security