[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2113-1] cloud-init security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : cloud-init
Version        : 0.7.6~bzr976-2+deb8u1
CVE ID         : CVE-2020-8631 CVE-2020-8632
Debian Bug     : 951362 951363


CVE-2020-8631

    In cloud-init, relies on Mersenne Twister for a random password,
    which makes it easier for attackers to predict passwords, because
    rand_str in cloudinit/util.py calls the random.choice function.

CVE-2020-8632

    In cloud-init, rand_user_password in
    cloudinit/config/cc_set_passwords.py has a small default pwlen
    value, which makes it easier for attackers to guess passwords.

For Debian 8 "Jessie", these problems have been fixed in version
0.7.6~bzr976-2+deb8u1.

We recommend that you upgrade your cloud-init packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Best,
Utkarsh
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl5PnI0ACgkQgj6WdgbD
S5bpgxAA5t/aOnrReOzkKbffLNy9BryfxfIQJoImtM/dpcukVZcwqADpIUva0aul
R5IscwuR+IpkeIftTct9c2TsQhUIxfbX9MqJw6A/N8QU+3Uyp+0fAlrukxrU3R+N
kia/Ow9x5jbU9rs5977mEQaxZqYxQEJdqI290KXtkg7W+kfJQYhyKV6eHnnObFTk
bSaOYnJ/TUvOHdcqsdzs4yRdVPWNY6kRHk8XznCQK6KtCPHiOt1ehAcgcIj8UQQb
l9XX2yGm8hvgl2C+wpjifmy16Rn9Cmevmbief0lOHyILWE25eeNkPJyeIGHvc+Aq
Kzw2iY8Y5Pctw1ARzO9BP3McAzPhJBXPoPRTcVMVCG5qWosUSUb540iic+5IrOdf
8RxKxRrzWRtRTztGCA01dm3jE+luLDOiqmtNgk7o8SFzGE6EwopttXqudGnDRna6
C1uw6HXTUA5rnGa6myXiDyVITd72jn/a048N9saWHVhxl6QgjHl8b2LQGZFuLT+J
BikT9qu6H6zbgXIgqVMh+jS5cDInSDXnrS0bI0DjowBNLE0NymYYZj1tUCrN73SF
kfTOxhjraTLCKGmJJfFZrFmNRWJ6F3EkVU1P0dNzU4vQZ1auCWHiyXbk1oD28CuB
/um2VrxsNjyKbF2FfsySss13EYQo3utbR9j2CbnZBwePdqWPXtQ=
=DORh
-----END PGP SIGNATURE-----


Reply to: