Bug#1035023: marked as done (cloud-init: CVE-2023-1786)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 14 Jun 2023 19:19:03 +0200
with message-id <[🔎] ZIn2h2CPQjwJ7GMg@eldamar.lan>
and subject line [ftpmaster@ftp-master.debian.org: Accepted cloud-init 23.2-1 (source) into unstable]
has caused the Debian Bug report #1035023,
regarding cloud-init: CVE-2023-1786
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1035023: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035023
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cloud-init: CVE-2023-1786
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Thu, 27 Apr 2023 21:29:32 +0200
• Message-id: <168262377291.408456.8636580631543221064.reportbug@eldamar.lan>

Source: cloud-init
Version: 22.4.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for cloud-init.

CVE-2023-1786[0]:
| Sensitive data could be exposed in logs of cloud-init before version
| 23.1.2. An attacker could use this information to find hashed
| passwords and possibly escalate their privilege.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-1786
    https://www.cve.org/CVERecord?id=CVE-2023-1786
[1] https://bugs.launchpad.net/cloud-init/+bug/2013967
[2] https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1035023@bugs.debian.org, 1035023-done@bugs.debian.org
• Cc: Debian Cloud Team <debian-cloud@lists.debian.org>, Noah Meyerhans <noahm@debian.org>
• Subject: [ftpmaster@ftp-master.debian.org: Accepted cloud-init 23.2-1 (source) into unstable]
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 14 Jun 2023 19:19:03 +0200
• Message-id: <[🔎] ZIn2h2CPQjwJ7GMg@eldamar.lan>
• Mail-followup-to: 1035023@bugs.debian.org, 1035023-done@bugs.debian.org, Debian Cloud Team <debian-cloud@lists.debian.org>, Noah Meyerhans <noahm@debian.org>

Source: cloud-init
Source-Version: 23.2-1

Fixes as well CVE-2023-1786.

----- Forwarded message from Debian FTP Masters <ftpmaster@ftp-master.debian.org> -----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 14 Jun 2023 09:42:18 -0700
Source: cloud-init
Architecture: source
Version: 23.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Cloud Team <debian-cloud@lists.debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Closes: 999400 1005318 1008039
Changes:
 cloud-init (23.2-1) unstable; urgency=medium
 .
   [ Jochen Sprickerhof ]
   * Drop unused build dependencies
 .
   [ Noah Meyerhans ]
   * New upstream version 23.2 (Closes: #1008039, #1005318, #999400)
   * Refresh patches
   * drop special handling of files that no longer exist upstream
   * drop dependency on obsolete lsb-base package
Checksums-Sha1:
 347e8f3f7f34433ca013c8a686ff481b5bf3697c 2384 cloud-init_23.2-1.dsc
 ae2f9969eba76b62d2ae20a0d3c70b4613f84d94 1566508 cloud-init_23.2.orig.tar.gz
 953b9681a1224bc984b8d34afaefbfd3dd00dbb2 26464 cloud-init_23.2-1.debian.tar.xz
 ca3faf72c41b9ded219424de211015465b7823be 6876 cloud-init_23.2-1_source.buildinfo
Checksums-Sha256:
 3d9cea3097b238ffa62f157e4997902df8363b530a3a2358c52350bf42864879 2384 cloud-init_23.2-1.dsc
 8ad3c1a942e709c51b7b12b4e6e7f6c4ed8207e989b552f613ed646b82ecbdcc 1566508 cloud-init_23.2.orig.tar.gz
 b84c09a18f9a0c336638a209ee2a94d661686dbd8ed83a3239eb6c8b529d1f4a 26464 cloud-init_23.2-1.debian.tar.xz
 e9e1d06f7344dc0b599605ab1ebe3c047c259538c0225ecf97e0960c1a6b6da9 6876 cloud-init_23.2-1_source.buildinfo
Files:
 ed80a08f3893b4076fb094ab98cf90c7 2384 admin optional cloud-init_23.2-1.dsc
 157c0c93aed174932dac611fb40a4bc1 1566508 admin optional cloud-init_23.2.orig.tar.gz
 95f01d442318efee12990557170ca4cf 26464 admin optional cloud-init_23.2-1.debian.tar.xz
 ff8541d1ae08cc8c9cf1a5619d38aaf6 6876 admin optional cloud-init_23.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmSJ7zkRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQ4+c1IpshdTXc/hAAgEnFncimmxvHwdub6l/vdhcI3mbEt4oX
Cdb5yHKBmSK5MuYg0lYL7Kv/up1YKCq2RE12KTV+6gGYCuRf/p2VpgM3NnJTFvlG
aywcikmE3f8z/v3P0QRUT5km/KRMviv6c+lizYPvfdlrADX9LWx6ohMddlPySKhg
sGhvE4VSURSelObePwRSYy3MvGHZabNYlycO4qsD5GXpSXEnkzNDgonAyK3Bc2/A
PGR1SiPoWMs3++6JlAg9jv5Ifmvue1fgBm0Y1erKe03bbJvxD+bL2Kl+3JwVg+VL
28fOTODk3FIxRcGJX8KQmego/S3WY0LTKoHxxXrzlZExbGZZEYbj2TUuwXv+kdOY
NaM/M1kF+26V1oSqTTEFwO/UbDYh/RGSNAhqLZ0R3v5max1EtUaugKjUAtxJv0zu
Kw9iVvGRLy4bKYqoiH6Nk0d0Pr+TcY3rWc2urh4zeX5L6HKQ6oZYVrU20IQ4wDhs
1up6uRwsxCkQCClsaYuo9QpV8W0ZMNzXBi/zGniMumi8acvVUyQjYBIWja9MDm+U
glWH2Ha2yeKw2DYgvyxAJELOjFDhatiRAGm/UXdNlSiZ8dIhzYGCMNHr+DI6E932
6KWTSxhNpQ7cPoZXPUWrvuDII4ut+4iHE1Dq0AVQhTzfo/ZSJnxEiCXP+tXSI26z
6V/GAKpTtk4=
=aSna
-----END PGP SIGNATURE-----


----- End forwarded message -----

--- End Message ---