Your message dated Tue, 08 Jul 2025 21:19:12 +0000
with message-id <e1uzfia-009d14...@fasolo.debian.org>
and subject line Bug#1108402: fixed in cloud-init 25.1.4-1
has caused the Debian Bug report #1108402,
regarding cloud-init: CVE-2024-11584
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1108402: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108402
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cloud-init
Version: 25.1.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/canonical/cloud-init/pull/6265
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for cloud-init.
CVE-2024-11584[0]:
| cloud-init through 25.1.2 includes the systemd socket unit cloud-
| init-hotplugd.socket with default SocketMode that grants 0666
| permissions, making it world-writable. This is used for the
| "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could
| trigger hotplug-hook commands.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-11584
https://www.cve.org/CVERecord?id=CVE-2024-11584
[1] https://github.com/canonical/cloud-init/pull/6265
[2]
https://github.com/canonical/cloud-init/commit/4839736429e9057a309ccd835cb3159fb51b1353
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cloud-init
Source-Version: 25.1.4-1
Done: Noah Meyerhans <no...@debian.org>
We believe that the bug you reported is fixed in the latest version of
cloud-init, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1108...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noah Meyerhans <no...@debian.org> (supplier of updated cloud-init package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 07 Jul 2025 15:13:38 -0400
Source: cloud-init
Architecture: source
Version: 25.1.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Cloud Team <debian-cl...@lists.debian.org>
Changed-By: Noah Meyerhans <no...@debian.org>
Closes: 1108402 1108403
Changes:
cloud-init (25.1.4-1) unstable; urgency=medium
.
* New upstream version 25.1.4 (Closes: #1108402, #1108403)
- Fixes CVE-2024-6174
- Fixes CVE-2024-11584
Checksums-Sha1:
65730056fd1fa113780d858e5bf1c1803345be14 2448 cloud-init_25.1.4-1.dsc
2709afb6a1ccea9c30860814ecf20c51544d7670 1917855 cloud-init_25.1.4.orig.tar.gz
b5d669c0d280fe0d6d7fa39d6b17697f5842f408 28088
cloud-init_25.1.4-1.debian.tar.xz
31191f94a83b60a97397b60668dfc2b31a2bbebc 7892
cloud-init_25.1.4-1_source.buildinfo
Checksums-Sha256:
927d6d52855babe43b86e89ca6944021940ac7958ffa171b025c891a9e719c8f 2448
cloud-init_25.1.4-1.dsc
fa70a77fc3cd3167a051e9ab04af4d4f56d3ffa0deb320735c889a6a367d3a3d 1917855
cloud-init_25.1.4.orig.tar.gz
ae421cadd476c18ed1afb35ae392b951722b5cde4e0954c1a6caa9ff501cde5c 28088
cloud-init_25.1.4-1.debian.tar.xz
de5cb07d25a57e5cb69937e9fef7eeef090872f7174c0f7371e57cc9bef97a78 7892
cloud-init_25.1.4-1_source.buildinfo
Files:
48de407a6be59cc6a80962ad5fcc4186 2448 admin optional cloud-init_25.1.4-1.dsc
9d46a752100429e78819e46e148b14e8 1917855 admin optional
cloud-init_25.1.4.orig.tar.gz
4b9db1cb16c2d16e883a394e3026b832 28088 admin optional
cloud-init_25.1.4-1.debian.tar.xz
fd7473ee0df5292707993ca4e10be383 7892 admin optional
cloud-init_25.1.4-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmhtiP8ACgkQ4+c1Ipsh
dTUBnw//U3rb9NLy/xnPZsrR5G8w+WktPYd8P9NsIkZXd4q8wOazdLFqbKydZQuM
X+8AtY1dySPnTvD0WOrClnoxylP7KzMoCeaM550FBWOrfFulKxAVTynNwbPwfWbV
oTE+UssH20RysW2pwJCbIPG2vPND4junC8gNTldhLw5UDe8zZlczjfQEVSL+k+/q
DPMJ40IWuakC1DNMgt7c/CcABLrdKDVYZ2R37JiJYMmHXODVgiiSzieJq4TfCKSh
gOcQ9XqZ4ywdGnRDw54dwABOJIQlaZBGjmi0cWiSAanKcKrldqYiBaBfn22H14rD
yUmZS/oLLt+q+hyLjvdlXbAeYaVMqzR9VGvVkVc0RUANTjJYYOObNHzPX4wQlpI2
SbPYj2BGObRgmndxEa7Q6Ta8tjl6jEQmf8VAwhWSKyaiRON/IkBiHK8xFBRQhKIJ
q0w0Y5JvZGXTFaPHW3Z8aNLvRjEESAUJnX7yeCnGvr4MmNv+yDSw4weQN0DKEFZc
xlUloTQRn3DlGdDzmXoM4u+DjgeN0gjn+qKnP6LORjwKOqWk36NVU6HquCiij0Ip
BkW/0nob9xt06eTCFX8j3K2maZ2yNcMo0b5W9L4wzhpnsPTmWovJl8Fd0mP/Z+OY
S3lVBKO7FTnGZw4TBp8c146ZplnJZn5+3y6FbS3p8DPZEHE8oXY=
=UP7R
-----END PGP SIGNATURE-----
pgpM7ATslJPq9.pgp
Description: PGP signature
--- End Message ---
