camel-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From MrLion <...@git.apache.org>
Subject camel pull request: VERACODE-659,660,663, 664: Insufficient Entropy (CWE ID...
Date Thu, 26 Dec 2013 12:47:07 GMT
GitHub user MrLion opened a pull request:

    https://github.com/apache/camel/pull/80

    VERACODE-659,660,663, 664: Insufficient Entropy (CWE ID 331)

    During Veracode scan of our application we discover several warnings in Camel. Please
review our fix and apply it if it make sance.
    
    Quote from Veracode report below:
    Insufficient Entropy (CWE ID 331)(7 flaws)
    Description
    Standard random number generators do not provide a sufficient amount of entropy when used
for security purposes.
    Attackers can brute force the output of pseudorandom number generators such as rand().
    Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
    Recommendations
    If this random number is used where security is a concern, such as generating a session
key or session identifier, use a trusted cryptographic random number generator instead. These
can be found on the Windows platform in the
    CryptoAPI or in an open source library such as OpenSSL.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/engagepoint/camel patch-ENT-Entropy

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/camel/pull/80.patch

----
commit de7766f2451a7013b54c285f378bf7cbfef1d766
Author: leonid.marushevskiy <leonid.marushevskiy@engagepoint.com>
Date:   2013-12-20T14:43:55Z

    VERACODE-659: fix of CWE ID 331 insufficient entropy in RandomLoadBalancer

commit a1920ad74c7f10ce3148482bd7d033b530a3e681
Author: leonid.marushevskiy <leonid.marushevskiy@engagepoint.com>
Date:   2013-12-20T14:49:43Z

    VERACODE-660: fix of CWE ID 331 insufficient entropy in RedeliveryPolicy

commit a3ea9952d612a7214815d5ea3c2102fd7819eb6d
Author: leonid.marushevskiy <leonid.marushevskiy@engagepoint.com>
Date:   2013-12-20T14:52:50Z

    VERACODE-663: fix of CWE ID 331 insufficient entropy in WeightedRandomLoadBalancer

commit fa7a52fe6ce05a26c3826161fc8c3e42eebb2861
Author: leonid.marushevskiy <leonid.marushevskiy@engagepoint.com>
Date:   2013-12-20T14:56:10Z

    VERACODE-654: fix of CWE ID 331 insufficient entropy in FileUtil

----


Mime
View raw message