CVE-2020-8631: cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function https://nvd.nist.gov/vuln/detail/CVE-2020-8631 CVE-2020-8632: In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. https://nvd.nist.gov/vuln/detail/CVE-2020-8632
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=353ead38dc41437704919d82b9bc4e64ed294cdc commit 353ead38dc41437704919d82b9bc4e64ed294cdc Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2020-02-11 18:12:01 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2020-02-11 18:12:52 +0000 app-emulation/cloud-init: 19.4 bump includes fix for CVE-2020-{8631,8632} Bug: https://bugs.gentoo.org/708738 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> app-emulation/cloud-init/Manifest | 1 + app-emulation/cloud-init/cloud-init-19.4.ebuild | 90 +++++++++++++++++++++ ...it-19.4-gentoo-support-upstream-templates.patch | 93 ++++++++++++++++++++++ .../files/cloud-init-19.4_CVE-2020-8631.patch | 25 ++++++ app-emulation/cloud-init/metadata.xml | 2 +- 5 files changed, 210 insertions(+), 1 deletion(-)
updated the ebuild, are we fine for fast stable or should we wait?
CVE-2020-8632 (https://nvd.nist.gov/vuln/detail/CVE-2020-8632): In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. CVE-2020-8631 (https://nvd.nist.gov/vuln/detail/CVE-2020-8631): cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1aa00da6a419e83bab5c59c8163e391d9844adff commit 1aa00da6a419e83bab5c59c8163e391d9844adff Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2020-02-25 17:51:58 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2020-02-25 17:52:17 +0000 app-emulation/cloud-init: cleanup Bug: https://bugs.gentoo.org/708738 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> app-emulation/cloud-init/Manifest | 3 - app-emulation/cloud-init/cloud-init-17.2.ebuild | 80 ------------------- app-emulation/cloud-init/cloud-init-18.4-r1.ebuild | 89 --------------------- app-emulation/cloud-init/cloud-init-18.5.ebuild | 91 ---------------------- app-emulation/cloud-init/cloud-init-9999.ebuild | 4 +- .../files/18.5-fix-invalid-string-format.patch | 46 ----------- ...it-18.4-gentoo-support-upstream-templates.patch | 91 ---------------------- 7 files changed, 2 insertions(+), 402 deletions(-)
GLSA Vote: No! Repository is clean, all done.
