Your message dated Tue, 18 Feb 2020 23:49:45 +0000
with message-id <[email protected]>
and subject line Bug#951363: fixed in cloud-init 19.4-2
has caused the Debian Bug report #951363,
regarding cloud-init: CVE-2020-8632
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
951363: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951363
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cloud-init
Version: 19.4-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://github.com/canonical/cloud-init/pull/189
Control: found -1 19.3-2
Hi,
The following vulnerability was published for cloud-init.
CVE-2020-8632[0]:
| In cloud-init through 19.4, rand_user_password in
| cloudinit/config/cc_set_passwords.py has a small default pwlen value,
| which makes it easier for attackers to guess passwords.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-8632
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8632
[1] https://github.com/canonical/cloud-init/pull/189
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cloud-init
Source-Version: 19.4-2
Done: Noah Meyerhans <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cloud-init, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noah Meyerhans <[email protected]> (supplier of updated cloud-init package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 18 Feb 2020 14:17:28 -0800
Source: cloud-init
Architecture: source
Version: 19.4-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Cloud Team <[email protected]>
Changed-By: Noah Meyerhans <[email protected]>
Closes: 951362 951363
Changes:
cloud-init (19.4-2) unstable; urgency=medium
.
* Import upstream fix for CVE-2020-8632. rand_user_password generates
passwords of insufficient length. (Closes: #951363)
* Import upstream fix for CVE-2020-8631. Cloud-init uses an insufficient
source of randomness when generating passwords. (Closes: #951362)
Checksums-Sha1:
1e1602837a9367dcc3ed897f5855cf3502f86572 2408 cloud-init_19.4-2.dsc
9930b0bd67a319fc4990a02166b2d21891fe0532 24708 cloud-init_19.4-2.debian.tar.xz
34f3b1f7fb4072a45a184e0874e6ee2128765da0 6336
cloud-init_19.4-2_source.buildinfo
Checksums-Sha256:
ebd3c032520429cc91caa03a356ecf90eabb9c28a7e577486d6f117e885a75ba 2408
cloud-init_19.4-2.dsc
89c2372cc25def9775999b2315480273cbebcadca7dee87c9b1c0f73fb43ce41 24708
cloud-init_19.4-2.debian.tar.xz
23144bbb430ebfc675a8cdcd64e2e995d5f4b36708a7dcbd6c31cb0f5a2ca88d 6336
cloud-init_19.4-2_source.buildinfo
Files:
0337ce9a55476cd9f44dab41e9a4317c 2408 admin optional cloud-init_19.4-2.dsc
300eb93e7b17acb3e26f9c62803a77d5 24708 admin optional
cloud-init_19.4-2.debian.tar.xz
67a13e093f219eb988640ae1d703bd49 6336 admin optional
cloud-init_19.4-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAl5McP0ACgkQV68+Bn2y
WDMnhQ//QPTLVyDhkMKMBMsMV4cUspMkFEtHSNwEYLws9BkLTs39pbsyI9Vtaf2q
c8OAj76A4rFzy/QQnzvxpTkYhzsvvWXyZELBdwvXQsqeodg8VahXyH4uTt7xloGP
BApBYHsXaCQpD4ZIFyjIFJneTj1RPn2WRu+XtslUeAXxS3uw5YcCLd89bODDtvoE
aG4bfLE1BNbRopOahR0TWpUtrk8kJQNsxcrob8oqErWF6ePZ6BAtx0GbNfnl4pQP
zXdP9JViz4JQ+ITDX3a4dw2KGIO8n3/ke83gaq4LAcbG6GqdC2lwreHgGPrPyQKJ
VwrguiQQ0E1vgmO7HhNfjdGd6KijuBRnUwAG9gxf+39asHvutJsfRXi6T5Wx+0Gj
QJzIe9ZqNm0CWbhNq61tijh3iS9YuuRFtcKg9IKCQfhFozW0JcZtZXr6dfsnH/RV
Vy0IdNdWQ3gGHn8AnD2j5+OiZLMRlxxGGd3+6wHs90QYXsorWWDa2u5yyVu1l4Qr
nOZaOwNeHR0Utuub2R5bbFwYRFF+Wq3YkJNnIEe8kJvVhNGnT6/AVukbqjvjnp6f
uxvbw/fZy7yPrEg4HeLXMaU2to6ulKpFwzY4b+XKQYhypBjyJd0gyB/4vEexhiAd
IYZC95pBNaoRH05HARdPaHWszz0AqpSP2Q6wiSEG/jwtgzNewNU=
=2FX2
-----END PGP SIGNATURE-----
--- End Message ---
