Bug 26236

No obvious packager to assign this to, so assigning it globally.

Assignee: bugsquad => pkg-bugs

openSUSE has issued an advisory for this on March 29:
https://lists.opensuse.org/opensuse-updates/2020-03/msg00136.html

references: 

https://github.com/canonical/cloud-init/commit/42788bf24a1a0a5421a2d00a7f59b59e38ba1a14
https://github.com/xiaofengw-vmware/cloud-init/commit/294be6b7e4687cd72e6f7983935eec1772c45a57

Whiteboard: MGA7TOO => (none)
CC: (none) => mageia
Version: Cauldron => 7

i.e., fixed in cloud-init-19.4-3.mga8 by Nicolas.

pushed in mga7 with cloud-init-0.7.5-7.1.mga7

Assignee: pkg-bugs => qa-bugs

Advisory:
========================

Updated cloud-init package fixes security vulnerabilities:

In cloud-init, relies on Mersenne Twister for a random password, which makes it
easier for attackers to predict passwords, because rand_str in
cloudinit/util.py calls the random.choice function (CVE-2020-8631).

In cloud-init, rand_user_password in cloudinit/config/cc_set_passwords.py has a
small default pwlen value, which makes it easier for attackers to guess
passwords (CVE-2020-8632).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8632
https://www.debian.org/lts/security/2020/dla-2113

To satisfy dependencies, the following package(s) also need to be installed:

- cgroup-0.41-2.mga7.x86_64
- checkpolicy-2.5-2.mga7.x86_64
- cloud-utils-growpart-0.31-1.mga7.noarch
- lib64apol4-3.3.8-16.mga7.x86_64
- lib64auparse0-2.8.5-1.mga7.x86_64
- lib64cgroup1-0.41-2.mga7.x86_64
- lib64estr0-0.1.11-2.mga7.x86_64
- lib64fastjson4-0.99.8-5.mga7.x86_64
- lib64qpol1-3.3.8-16.mga7.x86_64
- libsemanage-python-2.5-9.mga7.x86_64
- policycoreutils-python-2.5-14.mga7.x86_64
- python-boto-2.45.0-1.mga7.noarch
- python-configobj-5.0.6-4.mga7.noarch
- python-idna-2.7-2.mga7.noarch
- python-IPy-0.83-1.mga7.noarch
- python-jsonpatch-1.21-1.mga7.noarch
- python-jsonpointer-1.10-4.mga7.noarch
- python-prettytable-0.7.2-10.mga7.noarch
- python2-argparse-1.4.0-2.mga7.noarch
- python2-audit-2.8.5-1.mga7.x86_64
- python2-backports-1.0-8.mga7.x86_64
- python2-backports-ssl_match_hostname-3.5.0.1-3.mga7.noarch
- python2-chardet-3.0.4-6.mga7.noarch
- python2-cheetah-3.1.0-4.mga7.x86_64
- python2-ipaddress-1.0.22-1.mga7.noarch
- python2-oauth-1.0.1-14.mga7.noarch
- python2-requests-2.21.0-2.mga7.noarch
- python2-serial-3.4-1.mga7.noarch
- python2-urllib3-1.24.3-1.1.mga7.noarch
- python2-yaml-5.3.1-1.mga7.x86_64
- rsyslog-8.40.0-4.1.mga7.x86_64

24MB of additional disk space will be used.


--

after installation went to terminal.

[brian@linux ~]$ cloud-init --help
usage: cloud-init [-h] [--version] [--file FILES] [--debug] [--force]
                  {init,modules,query,single} ...

positional arguments:
  {init,modules,query,single}
    init                initializes cloud-init and performs initial modules
    modules             activates modules using a given configuration key
    query               query information stored in cloud-init
    single              run a single module

optional arguments:
  -h, --help            show this help message and exit
  --version, -v         show program's version number and exit
  --file FILES, -f FILES
                        additional yaml configuration files to use
  --debug, -d           show additional pre-action logging (default: False)
  --force               force running even if no datasource is found (use at
                        your own risk)
[brian@linux ~]$ cloud-init --version
cloud-init 0.7.5
[brian@linux ~]$ 


Works for me

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Validating. Advisory in Comment 6.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0295.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED