Bug#985540: marked as done (cloud-init logs sensitive password data to world-readable files)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 19 Mar 2021 16:48:26 +0000
with message-id <E1lNIIU-000FoG-0d@fasolo.debian.org>
and subject line Bug#985540: fixed in cloud-init 20.4.1-2
has caused the Debian Bug report #985540,
regarding cloud-init logs sensitive password data to world-readable files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
985540: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985540
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cloud-init logs sensitive password data to world-readable files
• From: Noah Meyerhans <noahm@debian.org>
• Date: Fri, 19 Mar 2021 09:15:24 -0700
• Message-id: <[🔎] 161617052483.146318.10266075816009888077.reportbug@doom.morgul.net>

Package: cloud-init
Version: 20.4-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

cloud-init has the ability to generate and set a randomized password for
system users.  This functionality is enabled at runtime by passing
cloud-config data such as:

   chpasswd:
       list: |
           user1:RANDOM

When used this way, cloud-init logs the raw, unhashed password to a
world-readable local file.

This is fixed in upstream commit https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668

This issue has been allocated CVE-2021-3429.

--- End Message ---

--- Begin Message ---

• To: 985540-close@bugs.debian.org
• Subject: Bug#985540: fixed in cloud-init 20.4.1-2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 19 Mar 2021 16:48:26 +0000
• Message-id: <E1lNIIU-000FoG-0d@fasolo.debian.org>
• Reply-to: Noah Meyerhans <noahm@debian.org>

Source: cloud-init
Source-Version: 20.4.1-2
Done: Noah Meyerhans <noahm@debian.org>

We believe that the bug you reported is fixed in the latest version of
cloud-init, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 985540@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated cloud-init package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 19 Mar 2021 09:18:59 -0700
Source: cloud-init
Architecture: source
Version: 20.4.1-2
Distribution: unstable
Urgency: high
Maintainer: Debian Cloud Team <debian-cloud@lists.debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Closes: 985540
Changes:
 cloud-init (20.4.1-2) unstable; urgency=high
 .
   * Avoid logging generated passwords to world-readable log files.
     CVE-2021-3429. (Closes: #985540)
Checksums-Sha1:
 ca9314a0de20fa02f333ac728b023940a0ba4bb2 2413 cloud-init_20.4.1-2.dsc
 29447e11df809e8c71f0a0bbfba97a65fca61b4c 28300 cloud-init_20.4.1-2.debian.tar.xz
 75abd3195bf79233007ee83526f4f2088ab18a8d 6464 cloud-init_20.4.1-2_source.buildinfo
Checksums-Sha256:
 9e2bc448dda24cf202bbfa2e0b6a66d6de7d12d94043c2f944aa57974aa49ced 2413 cloud-init_20.4.1-2.dsc
 f8e0acc6b0f7084b27528b5b4608b504dece27089e038ef896bb89a4dc19c41e 28300 cloud-init_20.4.1-2.debian.tar.xz
 dbe8d2b8a8c6e9da482b1c51bdd1ff1fb42079742c896f4f2415271fe2ae2a1e 6464 cloud-init_20.4.1-2_source.buildinfo
Files:
 c1505e22fc9dcf86fdfeaaa7d10a9434 2413 admin optional cloud-init_20.4.1-2.dsc
 d4506774577d1731bb069caeb3dc096e 28300 admin optional cloud-init_20.4.1-2.debian.tar.xz
 f3365caf5e50e7e1416a40357c11cbce 6464 admin optional cloud-init_20.4.1-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAmBU0pYRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQV68+Bn2yWDNCBhAAkNVeoDD66W7Hmaie3Mazp827vFuq7OSQ
tDBTw65lntTiNYLe5oFjaRtQyAVF/KxeXT1kZdPAA4Oomvh0DGyZrdpHGzzLBWo5
Pv3ic1QG3j/+92io9WIdWfpl1O/pwmKRP3PYBwaVkzyFLDksR+LlbC99kdWYC6YD
B7FSsNFRmZ/XMGUp43pB8OWEWc7+98qAlna3VPlGESnyfY/mc0fp0s5VQ4RZRPJ+
XwEss6XnZItIRDM1++38JTlPI5qmL9ITetnm9wCi/XBV4tw/P7ZKjWPJE69Da0Kd
83U80EE3kWTcHOb/1Y5pux9omjzbVsF5EybD+8QsoAvoXbdn7Nya3GQaxzg8Hfu9
MFeQlnopGxauHu91DWBxlD9UZG9OvwqBWmrIsTs9Ws9Fj9x8d/XrtpekLZLnYt5v
BQUPiduEA9BOGlCXX93YTTOJQyIGdLpcYqvgYV/JnWaUiwOOs36gUhUDTc5LrAOd
eeEwmN29QkWtvoTE+jIjXfAt+YibkGfWZ+9M80Ob5qyU4uvslZ/IA8fT5iBOitKl
julEfh14kMhIp1L4JI61vMJzkcXJC2dg1EGLoRS91LXoowJHZnpLMJb4Oi4EyuRG
ssIinztnCDIoL1Ey3/Si0N7WYqEgyNZVj0QdsG8NljRA5hsLthX5ebkPsu6hzM54
1HVlSSLPV5U=
=r/bs
-----END PGP SIGNATURE-----

--- End Message ---