Bug 26236 - cloud-init new security issues CVE-2020-863[12]
Summary: cloud-init new security issues CVE-2020-863[12]
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-21 17:39 CET by David Walser
Modified: 2020-05-24 17:13 CEST (History)
1 user (show)

See Also:
Source RPM: cloud-init-0.7.5-7.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-02-21 17:39:55 CET
Debian-LTS has issued an advisory today (February 21):
https://www.debian.org/lts/security/2020/dla-2113

Mageia 7 is also affected.
David Walser 2020-02-21 17:40:02 CET

Whiteboard: (none) => MGA7TOO

David Walser 2020-02-21 17:55:09 CET

Status comment: (none) => Patches available from Debian

Comment 1 Lewis Smith 2020-02-21 21:09:55 CET
No obvious packager to assign this to, so assigning it globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-03-31 23:19:55 CEST
openSUSE has issued an advisory for this on March 29:
https://lists.opensuse.org/opensuse-updates/2020-03/msg00136.html
Comment 3 Nicolas Lécureuil 2020-05-24 16:38:51 CEST
references: 

https://github.com/canonical/cloud-init/commit/42788bf24a1a0a5421a2d00a7f59b59e38ba1a14
https://github.com/xiaofengw-vmware/cloud-init/commit/294be6b7e4687cd72e6f7983935eec1772c45a57

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => mageia

Comment 4 David Walser 2020-05-24 16:45:49 CEST
i.e., fixed in cloud-init-19.4-3.mga8 by Nicolas.
Comment 5 Nicolas Lécureuil 2020-05-24 16:55:45 CEST
pushed in mga7 with cloud-init-0.7.5-7.1.mga7

Assignee: pkg-bugs => qa-bugs

Nicolas Lécureuil 2020-05-24 16:55:54 CEST

Status comment: Patches available from Debian => (none)

Comment 6 David Walser 2020-05-24 17:13:02 CEST
Advisory:
========================

Updated cloud-init package fixes security vulnerabilities:

In cloud-init, relies on Mersenne Twister for a random password, which makes it
easier for attackers to predict passwords, because rand_str in
cloudinit/util.py calls the random.choice function (CVE-2020-8631).

In cloud-init, rand_user_password in cloudinit/config/cc_set_passwords.py has a
small default pwlen value, which makes it easier for attackers to guess
passwords (CVE-2020-8632).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8632
https://www.debian.org/lts/security/2020/dla-2113

Note You need to log in before you can comment on or make changes to this bug.