| Summary: | <app-emulation/cloud-init-19.4: multiple vulnerabilities (CVE-2020-{8631,8632}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | filip ambroz <filip.ambroz> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | eva, prometheanfire |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795 | ||
| Whiteboard: | B4 [noglsa cve] | ||
| Package list: |
app-emulation/cloud-init-19.4
|
Runtime testing required: | --- |
|
Description
filip ambroz
2020-02-08 16:53:38 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=353ead38dc41437704919d82b9bc4e64ed294cdc commit 353ead38dc41437704919d82b9bc4e64ed294cdc Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2020-02-11 18:12:01 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2020-02-11 18:12:52 +0000 app-emulation/cloud-init: 19.4 bump includes fix for CVE-2020-{8631,8632} Bug: https://bugs.gentoo.org/708738 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> app-emulation/cloud-init/Manifest | 1 + app-emulation/cloud-init/cloud-init-19.4.ebuild | 90 +++++++++++++++++++++ ...it-19.4-gentoo-support-upstream-templates.patch | 93 ++++++++++++++++++++++ .../files/cloud-init-19.4_CVE-2020-8631.patch | 25 ++++++ app-emulation/cloud-init/metadata.xml | 2 +- 5 files changed, 210 insertions(+), 1 deletion(-) updated the ebuild, are we fine for fast stable or should we wait? CVE-2020-8632 (https://nvd.nist.gov/vuln/detail/CVE-2020-8632): In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. CVE-2020-8631 (https://nvd.nist.gov/vuln/detail/CVE-2020-8631): cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1aa00da6a419e83bab5c59c8163e391d9844adff commit 1aa00da6a419e83bab5c59c8163e391d9844adff Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2020-02-25 17:51:58 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2020-02-25 17:52:17 +0000 app-emulation/cloud-init: cleanup Bug: https://bugs.gentoo.org/708738 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> app-emulation/cloud-init/Manifest | 3 - app-emulation/cloud-init/cloud-init-17.2.ebuild | 80 ------------------- app-emulation/cloud-init/cloud-init-18.4-r1.ebuild | 89 --------------------- app-emulation/cloud-init/cloud-init-18.5.ebuild | 91 ---------------------- app-emulation/cloud-init/cloud-init-9999.ebuild | 4 +- .../files/18.5-fix-invalid-string-format.patch | 46 ----------- ...it-18.4-gentoo-support-upstream-templates.patch | 91 ---------------------- 7 files changed, 2 insertions(+), 402 deletions(-) GLSA Vote: No! Repository is clean, all done. |
