From ${URL} : It was reported [1],[2] that cloud-init could send requests for EC2 instance data to untrusted systems. This could allow someone who has control over a suitable domain name to obtain root rights on an affected system. This issue was found and silently fixed in 2012; version 0.7.0 contains the fix [3]. [1] http://seclists.org/oss-sec/2014/q1/514 [2] https://bugs.launchpad.net/cloud-init/+bug/1040200 [3] http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/revision/635
Filed for tracking purpose.