Bug#985540: marked as done (cloud-init logs sensitive password data to world-readable files)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 19 Mar 2021 23:02:07 +0000
with message-id <E1lNO87-000GBX-Lz@fasolo.debian.org>
and subject line Bug#985540: fixed in cloud-init 20.2-2~deb10u2
has caused the Debian Bug report #985540,
regarding cloud-init logs sensitive password data to world-readable files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
985540: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985540
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cloud-init logs sensitive password data to world-readable files
• From: Noah Meyerhans <noahm@debian.org>
• Date: Fri, 19 Mar 2021 09:15:24 -0700
• Message-id: <[🔎] 161617052483.146318.10266075816009888077.reportbug@doom.morgul.net>

Package: cloud-init
Version: 20.4-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

cloud-init has the ability to generate and set a randomized password for
system users.  This functionality is enabled at runtime by passing
cloud-config data such as:

   chpasswd:
       list: |
           user1:RANDOM

When used this way, cloud-init logs the raw, unhashed password to a
world-readable local file.

This is fixed in upstream commit https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668

This issue has been allocated CVE-2021-3429.

--- End Message ---

--- Begin Message ---

• To: 985540-close@bugs.debian.org
• Subject: Bug#985540: fixed in cloud-init 20.2-2~deb10u2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 19 Mar 2021 23:02:07 +0000
• Message-id: <E1lNO87-000GBX-Lz@fasolo.debian.org>
• Reply-to: Noah Meyerhans <noahm@debian.org>

Source: cloud-init
Source-Version: 20.2-2~deb10u2
Done: Noah Meyerhans <noahm@debian.org>

We believe that the bug you reported is fixed in the latest version of
cloud-init, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 985540@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated cloud-init package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 19 Mar 2021 09:43:23 -0700
Source: cloud-init
Architecture: source
Version: 20.2-2~deb10u2
Distribution: buster
Urgency: high
Maintainer: Debian Cloud Team <debian-cloud@lists.debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Closes: 985540
Changes:
 cloud-init (20.2-2~deb10u2) buster; urgency=high
 .
   * Avoid logging generated passwords to world-readable log files.
     CVE-2021-3429. (Closes: #985540)
Checksums-Sha1:
 d55f3de376613258a6d978ee5d6ac8c1cdb5fbae 2431 cloud-init_20.2-2~deb10u2.dsc
 1ec7ce722b526d12b4557e13a76c79f95a92ff35 27568 cloud-init_20.2-2~deb10u2.debian.tar.xz
 ae5568fb5e1e5e4cb484878e82342651c8f68c44 6844 cloud-init_20.2-2~deb10u2_source.buildinfo
Checksums-Sha256:
 f2b718c99fe8fdc7cfc1dfe5e499c521b61eb3d839a8d75e216fac940d352ce6 2431 cloud-init_20.2-2~deb10u2.dsc
 6c1294d5b212c77b7bf40b04a2c1c812c355006c49d8e62ae581984bc0b43bc4 27568 cloud-init_20.2-2~deb10u2.debian.tar.xz
 aae68927fee6ee42ebfa444c9984ff40b3343707f5260cfb540553aa2f9ac410 6844 cloud-init_20.2-2~deb10u2_source.buildinfo
Files:
 e1aaa79c61be38e671234acfb156fb21 2431 admin optional cloud-init_20.2-2~deb10u2.dsc
 d89a6e85f6cc7124d293f2ef38efa190 27568 admin optional cloud-init_20.2-2~deb10u2.debian.tar.xz
 6a86edac194fe2582c0f015b174e5713 6844 admin optional cloud-init_20.2-2~deb10u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAmBU9SkRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQV68+Bn2yWDMGGRAAq3FvEXYz0sl7/s7Cs8MpNQUEIzpkjbdn
f43ctV9K5fr2nxE63n6WR3YplSPN1jaeNgdJ8i8SI34temIO3hXSJKVr2YBBkzFz
L+5P3TuZhALGUwYFCgTTt6X+SWXoP/jxBNdrXp5bT/uN8NDvbRlQBBRuqhWnMI+5
YDZMR2RqofC7eg+9A5IomLZIfF6NDOAhpY6x9Ckjia8CKa3hgTpmZzSVAyCbS3Rt
/leQkkdnzOIfkXSz/1nOT5Zv4xexrK7fRpIfzEUng8IVgpX/OmlwVRXUWsB8rl4r
kynGMjbBw2pSVWYx6EqSjCp36eAiiFsh+EM9kNP8Kf7cLSZkxsStTcLCTQ53rcGR
k15yHwfbBeNDzn6cB6heLkiOrhdEZ9eg4/3zm1y5Rv35+c5+rgx9bZDJvpUJx5Yw
mrb2GfOHUkh4DAnsfzF55oAc+LKV85cO2AWWqmUk2W7357pNe1Ns+vgWep/mxvRq
69D8FXxPNzDFnljs/abExXbzLVhv8BNUXfXXV+Wy2rX/lcIRFmjfir+536LvwcfR
gaG5zk03mL3kPnClMC3N7faYaf/6nTSzR7w6xIvWaFXJ2d3x1u6OEDM0AqqTOXZu
AKNTuIHTQ+P9INb6nM0aIujQU4pYDGDQnmuhf7sLHxmIfvjUXRaE6JP+i50UBOND
owC1BiKsyQM=
=NIYx
-----END PGP SIGNATURE-----

--- End Message ---