Bug#1108403: cloud-init: CVE-2024-6174

To: 1108403@bugs.debian.org
Subject: Bug#1108403: cloud-init: CVE-2024-6174
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Sun, 29 Jun 2025 12:48:20 +0000
Message-id: <[🔎] aGE2FH3IJeQ2WoEH@yuggoth.org>
Reply-to: Jeremy Stanley <fungi@yuggoth.org>, 1108403@bugs.debian.org
In-reply-to: <[🔎] 576c3e06-a473-42c9-92d4-3dcf99e31619@goirand.fr>
References: <[🔎] 175105165755.1422810.7191493426370949878.reportbug@eldamar.lan> <[🔎] aF7yunjojcDHC9nY@doom.morgul.net> <[🔎] 175105165755.1422810.7191493426370949878.reportbug@eldamar.lan> <[🔎] aF8ubO-uJIXPvlhW@yuggoth.org> <[🔎] 20250628074736.wt3zyxv3or7dary4@shell.thinkmo.de> <[🔎] 175105165755.1422810.7191493426370949878.reportbug@eldamar.lan> <[🔎] aF_maZAc_58kTD37@yuggoth.org> <[🔎] 175105165755.1422810.7191493426370949878.reportbug@eldamar.lan> <[🔎] 576c3e06-a473-42c9-92d4-3dcf99e31619@goirand.fr> <[🔎] 175105165755.1422810.7191493426370949878.reportbug@eldamar.lan>

On 2025-06-28 18:15:08 +0200 (+0200), thomas@goirand.fr wrote:
[...]

FYI, I expect most OpenStack operators to configure a config driveby default, as it is the most reliable metadata source.

Yes, the main reason some of them prefer/recommend the networkmetadata source is that it can be updated over time, while theconfigdrive content is (currently) frozen at the time its associatedserver instance is created so things like default gateways, staticroutes and DNS resolver addresses may grow stale as the operatormakes adjustments to their environment.

But since we're talking about a very small subset of clouds rightnow (specifically those with non-amd64 compute nodes), I think thebehavior change is probably not a major concern.

--
Jeremy Stanley

Reply to:

Follow-Ups:
- Bug#1108403: cloud-init: CVE-2024-6174
  - From: Bastian Blank <waldi@debian.org>

References:
- Bug#1108403: cloud-init: CVE-2024-6174
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1108403: (no subject)
  - From: Noah Meyerhans <noahm@debian.org>
- Bug#1108403: (no subject)
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Bug#1108403: (no subject)
  - From: Bastian Blank <waldi@debian.org>
- Bug#1108403: (no subject)
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Bug#1108403: (no subject)
  - From: thomas@goirand.fr

Prev by Date: Bug#1108403: (no subject)
Next by Date: Bug#1108403: cloud-init: CVE-2024-6174
Previous by thread: Bug#1108403: (no subject)
Next by thread: Bug#1108403: cloud-init: CVE-2024-6174
Index(es):
- Date
- Thread