SUSE alert SUSE-SU-2023:2628-1 (cloud-init)
| From: | sle-security-updates@lists.suse.com | |
| To: | sle-security-updates@lists.suse.com | |
| Subject: | SUSE-SU-2023:2628-1: important: Security update for cloud-init | |
| Date: | Fri, 23 Jun 2023 20:30:04 -0000 | |
| Message-ID: | <168755220478.14826.18096795338674009508@smelt2.suse.de> |
# Security update for cloud-init Announcement ID: SUSE-SU-2023:2628-1 Rating: important References: * #1171511 * #1203393 * #1210277 * #1210652 Cross-References: * CVE-2022-2084 * CVE-2023-1786 CVSS scores: * CVE-2022-2084 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N * CVE-2023-1786 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N * CVE-2023-1786 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products: * openSUSE Leap 15.4 * openSUSE Leap 15.5 * Public Cloud Module 15-SP2 * Public Cloud Module 15-SP1 * Public Cloud Module 15-SP3 * Public Cloud Module 15-SP4 * Public Cloud Module 15-SP5 * SUSE Linux Enterprise High Performance Computing 15 SP1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Server 15 SP1 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.0 * SUSE Manager Proxy 4.1 * SUSE Manager Proxy 4.2 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.0 * SUSE Manager Retail Branch Server 4.1 * SUSE Manager Retail Branch Server 4.2 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.0 * SUSE Manager Server 4.1 * SUSE Manager Server 4.2 * SUSE Manager Server 4.3 An update that solves two vulnerabilities and has two fixes can now be installed. ## Description: This update for cloud-init fixes the following issues: * CVE-2023-1786: Do not expose sensitive data gathered from the CSP. (bsc#1210277) * CVE-2022-2084: Fixed a bug which caused logging schema failures can include password hashes. (bsc#1210652) * Update to version 23.1 * Support transactional-updates for SUSE based distros * Set ownership for new folders in Write Files Module * add OpenCloudOS and TencentOS support * lxd: Retry if the server isn't ready * test: switch pycloudlib source to pypi * test: Fix integration test deprecation message * Recognize opensuse-microos, dev tooling fixes * sources/azure: refactor imds handler into own module * docs: deprecation generation support * add function is_virtual to distro/FreeBSD * cc_ssh: support multiple hostcertificates * Fix minor schema validation regression and fixup typing * doc: Reword user data debug section * cli: schema also validate vendordata*. * ci: sort and add checks for cla signers file * Add "ederst" as contributor * readme: add reference to packages dir * docs: update downstream package list * docs: add google search verification * docs: fix 404 render use default notfound_urls_prefix in RTD conf * Fix OpenStack datasource detection on bare metal * docs: add themed RTD 404 page and pointer to readthedocs-hosted * schema: fix gpt labels, use type string for GUID * cc_disk_setup: code cleanup * netplan: keep custom strict perms when 50-cloud-init.yaml exists * cloud-id: better handling of change in datasource files * Warn on empty network key * Fix Vultr cloud_interfaces usage * cc_puppet: Update puppet service name * docs: Clarify networking docs * lint: remove httpretty * cc_set_passwords: Prevent traceback when restarting ssh * tests: fix lp1912844 * tests: Skip ansible test on bionic * Wait for NetworkManager * docs: minor polishing * CI: migrate integration-test to GH actions * Fix permission of SSH host keys * Fix default route rendering on v2 ipv6 * doc: fix path in net_convert command * docs: update net_convert docs * doc: fix dead link * cc_set_hostname: ignore /var/lib/cloud/data/set-hostname if it's empty * distros/rhel.py: _read_hostname() missing strip on "hostname" * integration tests: add IBM VPC support * machine-id: set to uninitialized to trigger regeneration on clones * sources/azure: retry on connection error when fetching metdata * Ensure ssh state accurately obtained * bddeb: drop dh-systemd dependency on newer deb-based releases * doc: fix `config formats` link in cloudsigma.rst * Fix wrong subp syntax in cc_set_passwords.py * docs: update the PR template link to readthedocs * ci: switch unittests to gh actions * Add mount_default_fields for PhotonOS. * sources/azure: minor refactor for metadata source detection logic * add "CalvoM" as contributor * ci: doc to gh actions * lxd: handle 404 from missing devices route for LXD 4.0 * docs: Diataxis overhaul * vultr: Fix issue regarding cache and region codes * cc_set_passwords: Move ssh status checking later * Improve Wireguard module idempotency * network/netplan: add gateways as on-link when necessary * tests: test_lxd assert features.networks.zones when present * Use btrfs enquque when available (#1926) [Robert Schweikert] * sources/azure: fix device driver matching for net config (#1914) * BSD: fix duplicate macs in Ifconfig parser * pycloudlib: add lunar support for integration tests * nocloud: add support for dmi variable expansion for seedfrom URL * tools: read-version drop extra call to git describe --long * doc: improve cc_write_files doc * read-version: When insufficient tags, use cloudinit.version.get_version * mounts: document weird prefix in schema * Ensure network ready before cloud-init service runs on RHEL * docs: add copy button to code blocks * netplan: define features.NETPLAN_CONFIG_ROOT_READ_ONLY flag * azure: fix support for systems without az command installed * Fix the distro.osfamily output problem in the openEuler system. * pycloudlib: bump commit dropping azure api smoke test * net: netplan config root read-only as wifi config can contain creds * autoinstall: clarify docs for users * sources/azure: encode health report as utf-8 * Add back gateway4/6 deprecation to docs * networkd: Add support for multiple [Route] sections * doc: add qemu tutorial * lint: fix tip-flake8 and tip-mypy * Add support for setting uid when creating users on FreeBSD * Fix exception in BSD networking code-path * Append derivatives to is_rhel list in cloud.cfg.tmpl * FreeBSD init: use cloudinit_enable as only rcvar * feat: add support aliyun metadata security harden mode * docs: uprate analyze to performance page * test: fix lxd preseed managed network config * Add support for static IPv6 addresses for FreeBSD * Make 3.12 failures not fail the build * Docs: adding relative links * Fix setup.py to align with PEP 440 versioning replacing trailing * Add "nkukard" as contributor * doc: add how to render new module doc * doc: improve module creation explanation * Add Support for IPv6 metadata to OpenStack * add xiaoge1001 to .github-cla-signers * network: Deprecate gateway{4,6} keys in network config v2 * VMware: Move Guest Customization transport from OVF to VMware * doc: home page links added * net: skip duplicate mac check for netvsc nic and its VF This update for python-responses fixes the following issues: * update to 0.21.0: * Add `threading.Lock()` to allow `responses` working with `threading` module. * Add `urllib3` `Retry` mechanism. See #135 * Removed internal `_cookies_from_headers` function * Now `add`, `upsert`, `replace` methods return registered response. `remove` method returns list of removed responses. * Added null value support in `urlencoded_params_matcher` via `allow_blank` keyword argument * Added strict version of decorator. Now you can apply `@responses.activate(assert_all_requests_are_fired=True)` to your function to validate that all requests were executed in the wrapped function. See #183 ## Patch Instructions: To install this SUSE Important update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-2628=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-2628=1 * Public Cloud Module 15-SP1 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2023-2628=1 * Public Cloud Module 15-SP2 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2023-2628=1 * Public Cloud Module 15-SP3 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2023-2628=1 * Public Cloud Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2023-2628=1 * Public Cloud Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2023-2628=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * cloud-init-doc-23.1-150100.8.63.5 * cloud-init-23.1-150100.8.63.5 * cloud-init-config-suse-23.1-150100.8.63.5 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * cloud-init-doc-23.1-150100.8.63.5 * cloud-init-23.1-150100.8.63.5 * cloud-init-config-suse-23.1-150100.8.63.5 * Public Cloud Module 15-SP1 (aarch64 ppc64le s390x x86_64) * cloud-init-23.1-150100.8.63.5 * cloud-init-config-suse-23.1-150100.8.63.5 * Public Cloud Module 15-SP2 (aarch64 ppc64le s390x x86_64) * cloud-init-23.1-150100.8.63.5 * cloud-init-config-suse-23.1-150100.8.63.5 * Public Cloud Module 15-SP3 (aarch64 ppc64le s390x x86_64) * cloud-init-23.1-150100.8.63.5 * cloud-init-config-suse-23.1-150100.8.63.5 * Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64) * cloud-init-23.1-150100.8.63.5 * cloud-init-config-suse-23.1-150100.8.63.5 * Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64) * cloud-init-23.1-150100.8.63.5 * cloud-init-config-suse-23.1-150100.8.63.5 ## References: * https://www.suse.com/security/cve/CVE-2022-2084.html * https://www.suse.com/security/cve/CVE-2023-1786.html * https://bugzilla.suse.com/show_bug.cgi?id=1171511 * https://bugzilla.suse.com/show_bug.cgi?id=1203393 * https://bugzilla.suse.com/show_bug.cgi?id=1210277 * https://bugzilla.suse.com/show_bug.cgi?id=1210652