Debian-LTS has issued an advisory today (February 21): https://www.debian.org/lts/security/2020/dla-2113 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patches available from Debian
No obvious packager to assign this to, so assigning it globally.
Assignee: bugsquad => pkg-bugs
openSUSE has issued an advisory for this on March 29: https://lists.opensuse.org/opensuse-updates/2020-03/msg00136.html
references: https://github.com/canonical/cloud-init/commit/42788bf24a1a0a5421a2d00a7f59b59e38ba1a14 https://github.com/xiaofengw-vmware/cloud-init/commit/294be6b7e4687cd72e6f7983935eec1772c45a57
Whiteboard: MGA7TOO => (none)CC: (none) => mageiaVersion: Cauldron => 7
i.e., fixed in cloud-init-19.4-3.mga8 by Nicolas.
pushed in mga7 with cloud-init-0.7.5-7.1.mga7
Assignee: pkg-bugs => qa-bugs
Status comment: Patches available from Debian => (none)
Advisory: ======================== Updated cloud-init package fixes security vulnerabilities: In cloud-init, relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function (CVE-2020-8631). In cloud-init, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords (CVE-2020-8632). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8632 https://www.debian.org/lts/security/2020/dla-2113
To satisfy dependencies, the following package(s) also need to be installed: - cgroup-0.41-2.mga7.x86_64 - checkpolicy-2.5-2.mga7.x86_64 - cloud-utils-growpart-0.31-1.mga7.noarch - lib64apol4-3.3.8-16.mga7.x86_64 - lib64auparse0-2.8.5-1.mga7.x86_64 - lib64cgroup1-0.41-2.mga7.x86_64 - lib64estr0-0.1.11-2.mga7.x86_64 - lib64fastjson4-0.99.8-5.mga7.x86_64 - lib64qpol1-3.3.8-16.mga7.x86_64 - libsemanage-python-2.5-9.mga7.x86_64 - policycoreutils-python-2.5-14.mga7.x86_64 - python-boto-2.45.0-1.mga7.noarch - python-configobj-5.0.6-4.mga7.noarch - python-idna-2.7-2.mga7.noarch - python-IPy-0.83-1.mga7.noarch - python-jsonpatch-1.21-1.mga7.noarch - python-jsonpointer-1.10-4.mga7.noarch - python-prettytable-0.7.2-10.mga7.noarch - python2-argparse-1.4.0-2.mga7.noarch - python2-audit-2.8.5-1.mga7.x86_64 - python2-backports-1.0-8.mga7.x86_64 - python2-backports-ssl_match_hostname-3.5.0.1-3.mga7.noarch - python2-chardet-3.0.4-6.mga7.noarch - python2-cheetah-3.1.0-4.mga7.x86_64 - python2-ipaddress-1.0.22-1.mga7.noarch - python2-oauth-1.0.1-14.mga7.noarch - python2-requests-2.21.0-2.mga7.noarch - python2-serial-3.4-1.mga7.noarch - python2-urllib3-1.24.3-1.1.mga7.noarch - python2-yaml-5.3.1-1.mga7.x86_64 - rsyslog-8.40.0-4.1.mga7.x86_64 24MB of additional disk space will be used. -- after installation went to terminal. [brian@linux ~]$ cloud-init --help usage: cloud-init [-h] [--version] [--file FILES] [--debug] [--force] {init,modules,query,single} ... positional arguments: {init,modules,query,single} init initializes cloud-init and performs initial modules modules activates modules using a given configuration key query query information stored in cloud-init single run a single module optional arguments: -h, --help show this help message and exit --version, -v show program's version number and exit --file FILES, -f FILES additional yaml configuration files to use --debug, -d show additional pre-action logging (default: False) --force force running even if no datasource is found (use at your own risk) [brian@linux ~]$ cloud-init --version cloud-init 0.7.5 [brian@linux ~]$ Works for me
Whiteboard: (none) => MGA7-64-OKCC: (none) => brtians1
Validating. Advisory in Comment 6.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0295.html
Status: NEW => RESOLVEDResolution: (none) => FIXED