Bug 983292

Summary: python-beaker does not work in FIPS environment (in luci deployment)
Product: Red Hat Enterprise Linux 6 Reporter: Jan Pokorný [poki] <jpokorny>
Component: python-beakerAssignee: Jan Pokorný [poki] <jpokorny>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: adrew, ahecox, azelinka, bnater, chenders, cluster-maint, djansa, dmalcolm, fdinitto, jharriga, jlyle, jpokorny, lnovich, rmitchel, rnelson, rsteiger
Target Milestone: rcKeywords: Patch
Target Release: 6.4   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-beaker-1.3.1-7.el6 Doc Type: Bug Fix
Doc Text:
Cause: Beaker, a middleware dedicated to web application's cache and session data management, used to yield unique session identification as hex-encoded MD5 digest of variable inputs. Nowadays, this algorithm is discouraged, and in turn implicitly refused by Python's runtime in case of FIPS mode. Consequence: Some web applications using Beaker for sessions handling may not work correctly under FIPS mode. Fix: In parallel with upstream development, session identification is yielded as base64-encoded SHA1 digest of variable inputs. Result: Beaker no longer actively uses MD5 in the default setup, so even the session handling in respective web applications does not suffer in FIPS mode.
 Story Points: ---
Clone Of: 956360
: 996219 (view as bug list) Environment:
Last Closed: 2013-11-21 23:53:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 783158    
Bug Blocks: 691449, 782183, 802364, 840699, 956360    
Attachments:
Description Flags
Proposed patch
none
Polished patch none

Comment 1 Jan Pokorný [poki] 2013-07-10 21:53:17 UTC 
Created attachment 771873 [details]
Proposed patch

Upstream is a bit further as of now, however still contains very similar
bits; analogous patch proposed [1].  Based on the feedback, also the
current patch may change, otherwise I consider it final.

[1] https://github.com/bbangert/beaker/pull/45
Comment 3 Jan Pokorný [poki] 2013-07-15 21:38:08 UTC 
Created attachment 773920 [details]
Polished patch

This reflects the changes proposed to upstream more tightly
(all md5 uses converted + fix a "seld" typo).
Comment 4 Jan Pokorný [poki] 2013-08-06 16:32:40 UTC 
New pull request (rebased on the current head, also turned to be CI passing
whereas the new changes passed as well) accepted: [2]

[2] https://github.com/bbangert/beaker/pull/49#ref-pullrequest-16598672
Comment 13 errata-xmlrpc 2013-11-21 23:53:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1724.html