Package: cloud-init Version: 20.4-1 Severity: grave Tags: security upstream patch Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data such as: chpasswd: list: | user1:RANDOM When used this way, cloud-init logs the raw, unhashed password to a world-readable local file. This is fixed in upstream commit https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668 This issue has been allocated CVE-2021-3429.
