[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#926043: CVE-2019-0816

On 3/30/19 8:10 PM, Moritz Muehlenhoff wrote:
> Package: cloud-init
> Severity: grave
> Tags: security
> This was assigned CVE-2019-0816:
> https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445
> https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm
> Is this something that affects cloud-init as shipped in Debian or in the way we generate Debian
> images for Azure?
> Cheers,
>         Moritz

Hi Moritz,

If I understand well the problem, the issue is simply that some extra
Microsoft keys may end up being setup into an Azure Debian instance. I
don't see this as a very "grave" security issue because:

1/ Azure users must trust Azure anyways, otherwise, they should just
stop doing hosting there.
2/ It only affects Azure users.

I'm not even sure that our image is really using cloud-init to do the
ssh key provisioning, if I'm not mistaking, it's using the Azure agent
to do that (can Bastian confirm this?).

In any case, can we downgrade this bug to "important"? Or am I missing
something here?


Thomas Goirand (zigo)

Reply to: