[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#951363: marked as done (cloud-init: CVE-2020-8632)

Your message dated Tue, 18 Feb 2020 23:49:45 +0000
with message-id <E1j4Ccb-0006Ey-HW@fasolo.debian.org>
and subject line Bug#951363: fixed in cloud-init 19.4-2
has caused the Debian Bug report #951363,
regarding cloud-init: CVE-2020-8632
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
951363: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951363
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: cloud-init
Version: 19.4-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://github.com/canonical/cloud-init/pull/189
Control: found -1 19.3-2

Hi,

The following vulnerability was published for cloud-init.

CVE-2020-8632[0]:
| In cloud-init through 19.4, rand_user_password in
| cloudinit/config/cc_set_passwords.py has a small default pwlen value,
| which makes it easier for attackers to guess passwords.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-8632
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8632
[1] https://github.com/canonical/cloud-init/pull/189

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: cloud-init
Source-Version: 19.4-2
Done: Noah Meyerhans <noahm@debian.org>

We believe that the bug you reported is fixed in the latest version of
cloud-init, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 951363@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated cloud-init package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 18 Feb 2020 14:17:28 -0800
Source: cloud-init
Architecture: source
Version: 19.4-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Cloud Team <debian-cloud@lists.debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Closes: 951362 951363
Changes:
 cloud-init (19.4-2) unstable; urgency=medium
 .
   * Import upstream fix for CVE-2020-8632.  rand_user_password generates
     passwords of insufficient length.  (Closes: #951363)
   * Import upstream fix for CVE-2020-8631.  Cloud-init uses an insufficient
     source of randomness when generating passwords. (Closes: #951362)
Checksums-Sha1:
 1e1602837a9367dcc3ed897f5855cf3502f86572 2408 cloud-init_19.4-2.dsc
 9930b0bd67a319fc4990a02166b2d21891fe0532 24708 cloud-init_19.4-2.debian.tar.xz
 34f3b1f7fb4072a45a184e0874e6ee2128765da0 6336 cloud-init_19.4-2_source.buildinfo
Checksums-Sha256:
 ebd3c032520429cc91caa03a356ecf90eabb9c28a7e577486d6f117e885a75ba 2408 cloud-init_19.4-2.dsc
 89c2372cc25def9775999b2315480273cbebcadca7dee87c9b1c0f73fb43ce41 24708 cloud-init_19.4-2.debian.tar.xz
 23144bbb430ebfc675a8cdcd64e2e995d5f4b36708a7dcbd6c31cb0f5a2ca88d 6336 cloud-init_19.4-2_source.buildinfo
Files:
 0337ce9a55476cd9f44dab41e9a4317c 2408 admin optional cloud-init_19.4-2.dsc
 300eb93e7b17acb3e26f9c62803a77d5 24708 admin optional cloud-init_19.4-2.debian.tar.xz
 67a13e093f219eb988640ae1d703bd49 6336 admin optional cloud-init_19.4-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAl5McP0ACgkQV68+Bn2y
WDMnhQ//QPTLVyDhkMKMBMsMV4cUspMkFEtHSNwEYLws9BkLTs39pbsyI9Vtaf2q
c8OAj76A4rFzy/QQnzvxpTkYhzsvvWXyZELBdwvXQsqeodg8VahXyH4uTt7xloGP
BApBYHsXaCQpD4ZIFyjIFJneTj1RPn2WRu+XtslUeAXxS3uw5YcCLd89bODDtvoE
aG4bfLE1BNbRopOahR0TWpUtrk8kJQNsxcrob8oqErWF6ePZ6BAtx0GbNfnl4pQP
zXdP9JViz4JQ+ITDX3a4dw2KGIO8n3/ke83gaq4LAcbG6GqdC2lwreHgGPrPyQKJ
VwrguiQQ0E1vgmO7HhNfjdGd6KijuBRnUwAG9gxf+39asHvutJsfRXi6T5Wx+0Gj
QJzIe9ZqNm0CWbhNq61tijh3iS9YuuRFtcKg9IKCQfhFozW0JcZtZXr6dfsnH/RV
Vy0IdNdWQ3gGHn8AnD2j5+OiZLMRlxxGGd3+6wHs90QYXsorWWDa2u5yyVu1l4Qr
nOZaOwNeHR0Utuub2R5bbFwYRFF+Wq3YkJNnIEe8kJvVhNGnT6/AVukbqjvjnp6f
uxvbw/fZy7yPrEg4HeLXMaU2to6ulKpFwzY4b+XKQYhypBjyJd0gyB/4vEexhiAd
IYZC95pBNaoRH05HARdPaHWszz0AqpSP2Q6wiSEG/jwtgzNewNU=
=2FX2
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: