Bug#1014247: marked as done (cloud-init: CVE-2022-2084)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 03 Jul 2022 17:35:10 +0000
with message-id <E1o83V0-000Go7-B6@fasolo.debian.org>
and subject line Bug#1014247: fixed in cloud-init 22.2-2
has caused the Debian Bug report #1014247,
regarding cloud-init: CVE-2022-2084
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1014247: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014247
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cloud-init: CVE-2022-2084
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 02 Jul 2022 22:05:18 +0200
• Message-id: <[🔎] 165679231880.2296367.13962213250054189013.reportbug@eldamar.lan>

Source: cloud-init
Version: 22.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for cloud-init.

CVE-2022-2084[0]:
| logged schema failures can include password hashes

Ubuntu has apparently fixed this with [1,2] and should affect only
unstable/testing.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-2084
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2084
[1] https://github.com/canonical/cloud-init/commit/4d467b14363d800b2185b89790d57871f11ea88c
[2] https://bugs.launchpad.net/cloud-init/+bug/1978422

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1014247-close@bugs.debian.org
• Subject: Bug#1014247: fixed in cloud-init 22.2-2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 03 Jul 2022 17:35:10 +0000
• Message-id: <E1o83V0-000Go7-B6@fasolo.debian.org>
• Reply-to: Thomas Goirand <zigo@debian.org>

Source: cloud-init
Source-Version: 22.2-2
Done: Thomas Goirand <zigo@debian.org>

We believe that the bug you reported is fixed in the latest version of
cloud-init, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1014247@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated cloud-init package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 03 Jul 2022 19:03:53 +0200
Source: cloud-init
Architecture: source
Version: 22.2-2
Distribution: unstable
Urgency: high
Maintainer: Debian Cloud Team <debian-cloud@lists.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1014247
Changes:
 cloud-init (22.2-2) unstable; urgency=high
 .
   * CVE-2022-2084: logged schema failures can include password hashes. Applied
     upstream patch: Remove_schema_errors_from_log.patch (Closes: #1014247).
Checksums-Sha1:
 d70d09c1ecaba1a36d5a185b83f61fa2e6de14b5 2399 cloud-init_22.2-2.dsc
 fea36a09aee989ce99839ba025c58d68b31053f3 26104 cloud-init_22.2-2.debian.tar.xz
 e4d4205307764f0f2821e58c3096c71e169c7fc4 8728 cloud-init_22.2-2_amd64.buildinfo
Checksums-Sha256:
 be5f4fbedef33e87872bc8b5d919b3a76377ba2f5b60fe95e0b52e2fda76e0c1 2399 cloud-init_22.2-2.dsc
 bfa1c70d3bc4673f8d9c3309e1c314e26ed577df385e3fdcf187b29ed0c5a919 26104 cloud-init_22.2-2.debian.tar.xz
 8330b5792bd6693b377676f45eacf8e08fa3963654b5067d57582b4b7468a6f6 8728 cloud-init_22.2-2_amd64.buildinfo
Files:
 9953ec296c1a0a15ba302b8b5ce466fe 2399 admin optional cloud-init_22.2-2.dsc
 6a9bea683f1751c7fd0a83b84a8f139c 26104 admin optional cloud-init_22.2-2.debian.tar.xz
 0567679894ed6c566240edf2b43cb3f9 8728 admin optional cloud-init_22.2-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmLBz9wACgkQ1BatFaxr
Q/5hyA/+Md+S8Pjf6tC7GKQ34yVobqFBkc6hK7zteyim5eNzw2lcOvss4JXKMxNE
6EzDRnpyYIQZt5LzoaQaYoCw2x4ETWukH+D7vMppQag/z/mrCHMRrAOebkgqyR8D
xnsatA2NU6HKCNRN7u9MNuCAAIKra9pMU0kw/Ezzs67tryXP4Ci+tT/Zd1xRf2uQ
yxCyIopYYSkJOfv5p9DuzC/si3xGiTnFWrlbC7VKTRkxMKi+x1OHVEyFYgAAbdp8
P1zV0URuqnwmoUgHPB7tyGW3pcycaef4oRWV8FfN0LGruUePlJyiGqvJhmyX1lZN
i+3RMO2prJ8raU+2Nb9NHdEmObnDxJa0/1NcgUd8rbA3TmP2ULLPOnOIecEUTRMP
67jjbo9nOrh9D7KUVwZmNSGsJ4gyLGKHNFVRD7C77gP/0FJXoZ930JAtC8J+WOkz
dXXFLGxYFTmMFPYY9H95ai4NdYsnjLyGsVl+l0X/Xv6vZDZETQJcNXWugRSTlItm
hEMF17c+WJSjiLQrWVhYUqWTkgDEij+N3RVcDeJCm9k8nSR2da7hBFCQWNYcgjjf
xEesQva5SFQAV8cwX5usutq8b7QQAuqLyYAfqpk5loFcfFHVFeJzuHalvcAhB25V
h+HaiVWkySfNQwdgCdF08EEEzwxxswAMoaGGs+ar00ZQyNmjwws=
=7gaI
-----END PGP SIGNATURE-----

--- End Message ---