Bug 26236 - cloud-init new security issues CVE-2020-863[12]
Summary: cloud-init new security issues CVE-2020-863[12]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-02-21 17:39 CET by David Walser
Modified: 2020-08-01 01:27 CEST (History)
5 users (show)

See Also:
Source RPM: cloud-init-0.7.5-7.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-02-21 17:39:55 CET
Debian-LTS has issued an advisory today (February 21):
https://www.debian.org/lts/security/2020/dla-2113

Mageia 7 is also affected.
David Walser 2020-02-21 17:40:02 CET

Whiteboard: (none) => MGA7TOO

David Walser 2020-02-21 17:55:09 CET

Status comment: (none) => Patches available from Debian

Comment 1 Lewis Smith 2020-02-21 21:09:55 CET
No obvious packager to assign this to, so assigning it globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-03-31 23:19:55 CEST
openSUSE has issued an advisory for this on March 29:
https://lists.opensuse.org/opensuse-updates/2020-03/msg00136.html
Comment 3 Nicolas Lécureuil 2020-05-24 16:38:51 CEST
references: 

https://github.com/canonical/cloud-init/commit/42788bf24a1a0a5421a2d00a7f59b59e38ba1a14
https://github.com/xiaofengw-vmware/cloud-init/commit/294be6b7e4687cd72e6f7983935eec1772c45a57

Whiteboard: MGA7TOO => (none)
CC: (none) => mageia
Version: Cauldron => 7

Comment 4 David Walser 2020-05-24 16:45:49 CEST
i.e., fixed in cloud-init-19.4-3.mga8 by Nicolas.
Comment 5 Nicolas Lécureuil 2020-05-24 16:55:45 CEST
pushed in mga7 with cloud-init-0.7.5-7.1.mga7

Assignee: pkg-bugs => qa-bugs

Nicolas Lécureuil 2020-05-24 16:55:54 CEST

Status comment: Patches available from Debian => (none)

Comment 6 David Walser 2020-05-24 17:13:02 CEST
Advisory:
========================

Updated cloud-init package fixes security vulnerabilities:

In cloud-init, relies on Mersenne Twister for a random password, which makes it
easier for attackers to predict passwords, because rand_str in
cloudinit/util.py calls the random.choice function (CVE-2020-8631).

In cloud-init, rand_user_password in cloudinit/config/cc_set_passwords.py has a
small default pwlen value, which makes it easier for attackers to guess
passwords (CVE-2020-8632).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8632
https://www.debian.org/lts/security/2020/dla-2113
Comment 7 Brian Rockwell 2020-07-13 20:00:50 CEST
To satisfy dependencies, the following package(s) also need to be installed:

- cgroup-0.41-2.mga7.x86_64
- checkpolicy-2.5-2.mga7.x86_64
- cloud-utils-growpart-0.31-1.mga7.noarch
- lib64apol4-3.3.8-16.mga7.x86_64
- lib64auparse0-2.8.5-1.mga7.x86_64
- lib64cgroup1-0.41-2.mga7.x86_64
- lib64estr0-0.1.11-2.mga7.x86_64
- lib64fastjson4-0.99.8-5.mga7.x86_64
- lib64qpol1-3.3.8-16.mga7.x86_64
- libsemanage-python-2.5-9.mga7.x86_64
- policycoreutils-python-2.5-14.mga7.x86_64
- python-boto-2.45.0-1.mga7.noarch
- python-configobj-5.0.6-4.mga7.noarch
- python-idna-2.7-2.mga7.noarch
- python-IPy-0.83-1.mga7.noarch
- python-jsonpatch-1.21-1.mga7.noarch
- python-jsonpointer-1.10-4.mga7.noarch
- python-prettytable-0.7.2-10.mga7.noarch
- python2-argparse-1.4.0-2.mga7.noarch
- python2-audit-2.8.5-1.mga7.x86_64
- python2-backports-1.0-8.mga7.x86_64
- python2-backports-ssl_match_hostname-3.5.0.1-3.mga7.noarch
- python2-chardet-3.0.4-6.mga7.noarch
- python2-cheetah-3.1.0-4.mga7.x86_64
- python2-ipaddress-1.0.22-1.mga7.noarch
- python2-oauth-1.0.1-14.mga7.noarch
- python2-requests-2.21.0-2.mga7.noarch
- python2-serial-3.4-1.mga7.noarch
- python2-urllib3-1.24.3-1.1.mga7.noarch
- python2-yaml-5.3.1-1.mga7.x86_64
- rsyslog-8.40.0-4.1.mga7.x86_64

24MB of additional disk space will be used.


--

after installation went to terminal.

[brian@linux ~]$ cloud-init --help
usage: cloud-init [-h] [--version] [--file FILES] [--debug] [--force]
                  {init,modules,query,single} ...

positional arguments:
  {init,modules,query,single}
    init                initializes cloud-init and performs initial modules
    modules             activates modules using a given configuration key
    query               query information stored in cloud-init
    single              run a single module

optional arguments:
  -h, --help            show this help message and exit
  --version, -v         show program's version number and exit
  --file FILES, -f FILES
                        additional yaml configuration files to use
  --debug, -d           show additional pre-action logging (default: False)
  --force               force running even if no datasource is found (use at
                        your own risk)
[brian@linux ~]$ cloud-init --version
cloud-init 0.7.5
[brian@linux ~]$ 


Works for me

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Comment 8 Thomas Andrews 2020-07-14 13:44:38 CEST
Validating. Advisory in Comment 6.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2020-07-31 11:08:24 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-08-01 01:27:39 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0295.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.