[SECURITY] [DLA 2601-1] cloud-init security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2601-1] cloud-init security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Sat, 20 Mar 2021 08:09:36 +0530
Message-id: <[🔎] CAPP0f95gA=qa4hTACjp0D7R3-23HuzjFpb+PRKbZZoCqJbvQEw@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2601-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
March 20, 2021                              https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : cloud-init
Version        : 0.7.9-2+deb9u1
CVE ID         : CVE-2021-3429
Debian Bug     : 985540

cloud-init has the ability to generate and set a randomized password
for system users.  This functionality is enabled at runtime by
passing cloud-config data such as:

   chpasswd:
       list: |
           user1:RANDOM

When used this way, cloud-init logs the raw, unhashed password to a
world-readable local file.

For Debian 9 stretch, this problem has been fixed in version
0.7.9-2+deb9u1.

We recommend that you upgrade your cloud-init packages.

For the detailed security status of cloud-init please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cloud-init

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmBVYBsACgkQgj6WdgbD
S5bxDg//YUqlElsiS12CrhUwffZaizbQScagRgC1x68BsriBBkgL8lJdcHB7mtJ5
qcjwmNIwbE43YrgzSbM187/bzH+GhLMGH/8ZK0W2N91byt8CrGEwfeQ9afBd8A9F
BmlGN83d5MUoLWKvroxpCCV5/b4r9KDkod7Lrjicm8c0T8ft+SEO3e1VosjvtVy2
MEtjHZ2OwtiFYs0zJyNkRyAxBtUWScKgc8gQ5rhNv1droFLAHX/nr50vomH69eao
bzgGCqBJr5dO+yxoeU5P9dnic+k5aAsENM0sVii0H2CbR9obxYy95ebMbP2ynXEZ
FRIPOAi5CZNXTIwxmdecF9hGc+BysjJeLjZitRwrzJ6AH0sPBtoujKYVV9Ave8hu
zWaSnSuAzndbdfnRGs4OH9iFoQbPpTJyCY2/VEtFYq0xrIY2UTuk99uw7n+RTC6x
UcCQKSk1jS+1XZg6WCo/E6rHDTBoqqVsU10bhzzACvWmeiAhjW8wXnc4EIV1zEjw
rXXNbDPdW1qMECH8sx2MH3B4GncCoIUk3CpA+MLKsSUuhYmM2t+FZk/QEjcMKd1Z
5yN+t7hBMejcBPqLXd92pD1rsxLGIGs6JF2E9R9Hj5NzH1A6/HikGGvAN56rkZUN
4RwPQCrUfIlvUVRUJoFkHNBTGcfs46pRkdeQuwTdYBnixWNMSok=
=4F6a
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2600-1] pygments security update
Next by Date: [SECURITY] [DLA 2558-2] xterm regression update
Previous by thread: [SECURITY] [DLA 2600-1] pygments security update
Next by thread: [SECURITY] [DLA 2558-2] xterm regression update
Index(es):
- Date
- Thread