Bug#1108403: marked as done (cloud-init: CVE-2024-6174)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 08 Jul 2025 21:19:12 +0000
with message-id <E1uZFia-009D1B-DQ@fasolo.debian.org>
and subject line Bug#1108403: fixed in cloud-init 25.1.4-1
has caused the Debian Bug report #1108403,
regarding cloud-init: CVE-2024-6174
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1108403: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108403
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cloud-init: CVE-2024-6174
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 27 Jun 2025 21:14:17 +0200
• Message-id: <175105165755.1422810.7191493426370949878.reportbug@eldamar.lan>

Source: cloud-init
Version: 25.1.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for cloud-init.

CVE-2024-6174[0]:
| When a non-x86 platform is detected, cloud-init grants root access
| to a hardcoded url with a local IP address. To prevent this, cloud-
| init default configurations disable platform enumeration.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-6174
    https://www.cve.org/CVERecord?id=CVE-2024-6174
[1] https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1108403-close@bugs.debian.org
• Subject: Bug#1108403: fixed in cloud-init 25.1.4-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 08 Jul 2025 21:19:12 +0000
• Message-id: <E1uZFia-009D1B-DQ@fasolo.debian.org>
• Reply-to: Noah Meyerhans <noahm@debian.org>

Source: cloud-init
Source-Version: 25.1.4-1
Done: Noah Meyerhans <noahm@debian.org>

We believe that the bug you reported is fixed in the latest version of
cloud-init, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1108403@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated cloud-init package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 07 Jul 2025 15:13:38 -0400
Source: cloud-init
Architecture: source
Version: 25.1.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Cloud Team <debian-cloud@lists.debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Closes: 1108402 1108403
Changes:
 cloud-init (25.1.4-1) unstable; urgency=medium
 .
   * New upstream version 25.1.4 (Closes: #1108402, #1108403)
     - Fixes CVE-2024-6174
     - Fixes CVE-2024-11584
Checksums-Sha1:
 65730056fd1fa113780d858e5bf1c1803345be14 2448 cloud-init_25.1.4-1.dsc
 2709afb6a1ccea9c30860814ecf20c51544d7670 1917855 cloud-init_25.1.4.orig.tar.gz
 b5d669c0d280fe0d6d7fa39d6b17697f5842f408 28088 cloud-init_25.1.4-1.debian.tar.xz
 31191f94a83b60a97397b60668dfc2b31a2bbebc 7892 cloud-init_25.1.4-1_source.buildinfo
Checksums-Sha256:
 927d6d52855babe43b86e89ca6944021940ac7958ffa171b025c891a9e719c8f 2448 cloud-init_25.1.4-1.dsc
 fa70a77fc3cd3167a051e9ab04af4d4f56d3ffa0deb320735c889a6a367d3a3d 1917855 cloud-init_25.1.4.orig.tar.gz
 ae421cadd476c18ed1afb35ae392b951722b5cde4e0954c1a6caa9ff501cde5c 28088 cloud-init_25.1.4-1.debian.tar.xz
 de5cb07d25a57e5cb69937e9fef7eeef090872f7174c0f7371e57cc9bef97a78 7892 cloud-init_25.1.4-1_source.buildinfo
Files:
 48de407a6be59cc6a80962ad5fcc4186 2448 admin optional cloud-init_25.1.4-1.dsc
 9d46a752100429e78819e46e148b14e8 1917855 admin optional cloud-init_25.1.4.orig.tar.gz
 4b9db1cb16c2d16e883a394e3026b832 28088 admin optional cloud-init_25.1.4-1.debian.tar.xz
 fd7473ee0df5292707993ca4e10be383 7892 admin optional cloud-init_25.1.4-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmhtiP8ACgkQ4+c1Ipsh
dTUBnw//U3rb9NLy/xnPZsrR5G8w+WktPYd8P9NsIkZXd4q8wOazdLFqbKydZQuM
X+8AtY1dySPnTvD0WOrClnoxylP7KzMoCeaM550FBWOrfFulKxAVTynNwbPwfWbV
oTE+UssH20RysW2pwJCbIPG2vPND4junC8gNTldhLw5UDe8zZlczjfQEVSL+k+/q
DPMJ40IWuakC1DNMgt7c/CcABLrdKDVYZ2R37JiJYMmHXODVgiiSzieJq4TfCKSh
gOcQ9XqZ4ywdGnRDw54dwABOJIQlaZBGjmi0cWiSAanKcKrldqYiBaBfn22H14rD
yUmZS/oLLt+q+hyLjvdlXbAeYaVMqzR9VGvVkVc0RUANTjJYYOObNHzPX4wQlpI2
SbPYj2BGObRgmndxEa7Q6Ta8tjl6jEQmf8VAwhWSKyaiRON/IkBiHK8xFBRQhKIJ
q0w0Y5JvZGXTFaPHW3Z8aNLvRjEESAUJnX7yeCnGvr4MmNv+yDSw4weQN0DKEFZc
xlUloTQRn3DlGdDzmXoM4u+DjgeN0gjn+qKnP6LORjwKOqWk36NVU6HquCiij0Ip
BkW/0nob9xt06eTCFX8j3K2maZ2yNcMo0b5W9L4wzhpnsPTmWovJl8Fd0mP/Z+OY
S3lVBKO7FTnGZw4TBp8c146ZplnJZn5+3y6FbS3p8DPZEHE8oXY=
=UP7R
-----END PGP SIGNATURE-----

Attachment: pgpY2iWeU4YfP.pgp
Description: PGP signature

--- End Message ---