Debian-LTS has issued an advisory today (February 21):
Mageia 7 is also affected.
Patches available from Debian
No obvious packager to assign this to, so assigning it globally.
openSUSE has issued an advisory for this on March 29:
i.e., fixed in cloud-init-19.4-3.mga8 by Nicolas.
pushed in mga7 with cloud-init-0.7.5-7.1.mga7
Patches available from Debian =>
Updated cloud-init package fixes security vulnerabilities:
In cloud-init, relies on Mersenne Twister for a random password, which makes it
easier for attackers to predict passwords, because rand_str in
cloudinit/util.py calls the random.choice function (CVE-2020-8631).
In cloud-init, rand_user_password in cloudinit/config/cc_set_passwords.py has a
small default pwlen value, which makes it easier for attackers to guess