Project

General

Profile

Bug #23128

Deface uses MD5 and doesn't work in FIPS-enable environment

Added by Ivan Necas 9 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

How to reproduce:

1. install a plugin that uses deface (e.g. katello, foreman_remote_execution…)
2. use the web server or call `rake apipie:cache:index`

Results:

MD5 is used by deface with the following backtrace:

 | /opt/theforeman/tfm/root/usr/share/gems/gems/deface-1.2.0/lib/deface/action_view_extensions.rb:55:in `method_name'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/template.rb:157:in `block in render'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activesupport-5.1.4/lib/active_support/notifications.rb:168:in `instrument'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/template.rb:352:in `instrument_render_template'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/template.rb:155:in `render'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/deface-1.2.0/lib/deface/action_view_extensions.rb:41:in `render'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/template_renderer.rb:64:in `render_with_layout'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/template_renderer.rb:50:in `render_template'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/template_renderer.rb:14:in `render'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/renderer.rb:42:in `render_template'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/renderer/renderer.rb:23:in `render'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/actionview-5.1.4/lib/action_view/helpers/rendering_helper.rb:32:in `render'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/apipie-rails-0.5.6/lib/tasks/apipie.rake:121:in `block in render_page'

Related issues

Blocks Foreman - Feature #3511: As a security person, I would like Foreman to run in FIPS modeResolved
Blocked by Foreman - Feature #22119: Replace MD5 hashes with SHAClosed

History

#1 Updated by Ivan Necas 9 months ago

  • Blocks Feature #3511: As a security person, I would like Foreman to run in FIPS mode added

#2 Updated by Dmitri Dolguikh 9 months ago

  • Assignee set to Dmitri Dolguikh
  • Status changed from New to Assigned

#4 Updated by Dmitri Dolguikh 7 months ago

The PR has been merged, new release is pending.

#5 Updated by Ivan Necas 7 months ago

Additional patch from testing https://github.com/spree/deface/pull/183

#6 Updated by Ewoud Kohl van Wijngaarden 4 months ago

  • Assignee deleted (Dmitri Dolguikh)
  • Status changed from Assigned to New
  • Subject changed from Deface uses MD5 and doesn't work in FIPS-enable envrionment to Deface uses MD5 and doesn't work in FIPS-enable environment

#7 Updated by Ivan Necas 3 months ago

#8 Updated by Ivan Necas 3 months ago

  • Pull request https://github.com/theforeman/foreman-packaging/pull/3044 added

New deface to support this properly has been just released

#9 Updated by Michael Moll 2 months ago

  • Status changed from New to Resolved
  • Fixed in Releases 1.20.0 added

RPMs and DEBs got updated.

#10 Updated by Tomer Brisker 2 months ago

  • Category set to Security

Also available in: Atom PDF