Debian-LTS has issued an advisory on March 20:
The issue is fixed upstream in 21.2:
Mageia 7 and Mageia 8 are also affected.
MGA8TOO, MGA7TOOStatus comment:
Fixed upstream in 21.2
This has been maintained by various people, so assigning the bug globally. CC'ing the registered maintainer Joseph.
For Cauldron and Mageia 8, I added a patch from Debian for that CVE and pushed cloud-init-20.2-2.1.mga8 and cloud-init-20.2-4.mga9 to the BS.
MGA8TOO, MGA7TOO =>
We have 0.7.5 in Mageia 7, so Debian's patch for 0.7.9 might work for us.
Removing Mageia 7 from whiteboard due to EOL:
Assigning to QA as an update for Mageia 8 has been built. Still needs advisory.
Fixed upstream in 21.2 =>
Updated cloud-init package fixes a security vulnerability:
cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data such as: 'chpasswd: list: | user1:RANDOM'
When instructing cloud-init to set a random password for a new user account, versions before 21.1.19 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user (CVE--2021-3429).
Updated package in core/updates_testing: