Project

General

Profile

Bug #23363

Katello uses md5hash function incompatible with FIPS-enabled environments

Added by Peter Ondrejka over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

This came out after enabling FIPS mode on the underlying rhel 7 with already installed foreman+katello (using a workaround that overrides Digest::MD5 class and logs which gem used it), any content-related task logs the following. I know the FIPS support is currently blocked on the Pulp side, though I'm rising this katello issue issue beforehand:

2018-04-20T05:03:45 [W|app|ec60e] FIPS issue: calling 'new' from
 | /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.7.0/app/lib/katello/util/data.rb:9:in `md5hash'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.7.0/app/models/katello/content_view.rb:648:in `generate_cp_environment_id'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.7.0/app/models/katello/content_view.rb:457:in `add_environment'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.7.0/app/lib/actions/katello/content_view/add_to_environment.rb:10:in `plan'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/action.rb:493:in `block (3 levels) in execute_plan'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/middleware/stack.rb:26:in `pass'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/middleware.rb:18:in `pass'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/middleware.rb:35:in `plan'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/middleware/stack.rb:22:in `call'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/middleware/stack.rb:26:in `pass'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/middleware.rb:18:in `pass'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/middleware.rb:35:in `plan'
...

Related issues

Related to Foreman - Feature #3511: As a security person, I would like Foreman to run in FIPS modeResolved
Related to Katello - Bug #25080: Regenerate VCR casettes after changing the defualt hashing algorithmClosed

Associated revisions

Revision 39b472d5 (diff)
Added by Dmitri Dolguikh over 2 years ago

Fixes #23363 - Use ActiveSupport::Digest when available

History

#1 Updated by Peter Ondrejka over 2 years ago

  • Related to Feature #3511: As a security person, I would like Foreman to run in FIPS mode added

#2 Updated by The Foreman Bot over 2 years ago

  • Assignee set to Dmitri Dolguikh
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/7335 added

#3 Updated by Dmitri Dolguikh over 2 years ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

#4 Updated by Jonathon Turel over 2 years ago

  • Legacy Backlogs Release (now unused) set to 338

#5 Updated by Ivan Necas about 2 years ago

  • Related to Bug #25080: Regenerate VCR casettes after changing the defualt hashing algorithm added

Also available in: Atom PDF