Bug#1108403: marked as done (cloud-init: CVE-2024-6174)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 12 Jul 2025 09:32:08 +0000
with message-id <E1uaWaW-008mjy-C7@fasolo.debian.org>
and subject line Bug#1108403: fixed in cloud-init 22.4.2-1+deb12u3
has caused the Debian Bug report #1108403,
regarding cloud-init: CVE-2024-6174
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1108403: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108403
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cloud-init: CVE-2024-6174
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 27 Jun 2025 21:14:17 +0200
• Message-id: <175105165755.1422810.7191493426370949878.reportbug@eldamar.lan>

Source: cloud-init
Version: 25.1.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for cloud-init.

CVE-2024-6174[0]:
| When a non-x86 platform is detected, cloud-init grants root access
| to a hardcoded url with a local IP address. To prevent this, cloud-
| init default configurations disable platform enumeration.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-6174
    https://www.cve.org/CVERecord?id=CVE-2024-6174
[1] https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1108403-close@bugs.debian.org
• Subject: Bug#1108403: fixed in cloud-init 22.4.2-1+deb12u3
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 12 Jul 2025 09:32:08 +0000
• Message-id: <E1uaWaW-008mjy-C7@fasolo.debian.org>
• Reply-to: Noah Meyerhans <noahm@debian.org>

Source: cloud-init
Source-Version: 22.4.2-1+deb12u3
Done: Noah Meyerhans <noahm@debian.org>

We believe that the bug you reported is fixed in the latest version of
cloud-init, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1108403@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated cloud-init package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 10 Jul 2025 15:07:51 -0400
Source: cloud-init
Architecture: source
Version: 22.4.2-1+deb12u3
Distribution: bookworm
Urgency: medium
Maintainer: Debian Cloud Team <debian-cloud@lists.debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Closes: 1108402 1108403
Changes:
 cloud-init (22.4.2-1+deb12u3) bookworm; urgency=medium
 .
   * Import upstream fix for CVE-2024-6174 (Closes: #1108403)
   * salsa-ci: build in bookworm
   * Backport upstream fix for CVE-2024-11584 (Closes: #1108402)
Checksums-Sha1:
 64887d8115248a98d3dc3fa2fef32f488a66fa98 2445 cloud-init_22.4.2-1+deb12u3.dsc
 e1e933eea7ffd83631abb99cf70a213c6993c4ff 31044 cloud-init_22.4.2-1+deb12u3.debian.tar.xz
 b1c98a08e685129e05724837068854b327442d0a 7529 cloud-init_22.4.2-1+deb12u3_source.buildinfo
Checksums-Sha256:
 17e475b56cde5d709474b348a1fac5037043fbb41bbc225bb30f7c7eebf40629 2445 cloud-init_22.4.2-1+deb12u3.dsc
 562451e595ed3aabb3c4b88fa3fc01b77a4ddb4b46bf2cc22d16e07411ebab27 31044 cloud-init_22.4.2-1+deb12u3.debian.tar.xz
 3fee4edd07d837bff0a9fb20e673ceff09186d1be98550a40dc1d7a4e526a9f7 7529 cloud-init_22.4.2-1+deb12u3_source.buildinfo
Files:
 9d862638555090dc377b919688b00622 2445 admin optional cloud-init_22.4.2-1+deb12u3.dsc
 0361ab6e4a6ffbb17de83ed77f3b0ffe 31044 admin optional cloud-init_22.4.2-1+deb12u3.debian.tar.xz
 cde9b97ad0b57565423a9fef6e84253f 7529 admin optional cloud-init_22.4.2-1+deb12u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmhxfFwACgkQ4+c1Ipsh
dTXeqw//QW/x58Cm61SkzpHBmKxsrRYuVWLMho5bXg1dArPpj2PaVPv/hLC/AksW
/y6POU5fbBjGNls+uG5GjW+rsstKnHOtYb3VfVO+eJgyFuVVgVsxPPiSw+q5L9kQ
R2ul2kK4i/ZHw66YIn24AzkYgUKMbx/Fs27B7b9GizsJskUdcCTXrAqSM0HlYrXo
WsaKbgSa1CDogCKBN1Rh5CsiUFPe8xMMgBGDrWrowZp2Msjb3SX+DQZGD5Qe1Cae
sSZ6JrUAaFRTdDLyBn81C6QgcA/hVQ8uQ5kVSc36lFl8lVFhKwn/CRH3+XqT9Yiy
N6kvNAn8i18q6tz6RiGTkm2LBTS7OVbQWGs4hvaISdEj1ad1AKv5JGsbZFVAT8xO
Z5ymCmMsBem0lPtfhPn1vJZWkt9wC8GJ5Q2Q40lcCxm5EfcT8qmBEJviZagEWtc6
ByGrFfMYTgd5XxDc12HZQqEaWVp3lGquHpDrvceIYcJ9/ox4BEn/JAv/oh1qtznY
jpNSfREvAVGnJ4IprwFW+DS8Bg7wmMksJiXj10JygvNQVLORyFEjwwyY59nwrmNW
vH7Z3D3G2N5ZnJ5QpT3xZjqZmrVLFvFhk2RtKATPhmTCdnhQ9d0mL0ooYR9P4E1Q
IhHB1nx6b0xbizfkOOR5lwnIrYV2gYKjEVEW6yrCouL2xJBwlL0=
=D0kZ
-----END PGP SIGNATURE-----

Attachment: pgpvIrKeVyoOV.pgp
Description: PGP signature

--- End Message ---