We've decided this is a "security hardening" measure rather than a security issue, and thus won't apply for a CVE and won't attempt an embargoed coordination with other vendors: any process that has sufficient privileges to read this file and thus the password has every opportunity to perform dozens of other privileged operations that would expose or reset this password.
Ben said he'd follow through with the SRU process; this makes sense to us. Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1458052 Title: Azure Datasource writes user password in plain text To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1458052/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
