Changelog
cloud-init (23.1.2-0ubuntu0~22.10.1) kinetic; urgency=medium
* SECURITY UPDATE: Make user/vendor data sensitive and remove log permissions
Because user data and vendor data may contain sensitive information,
this commit ensures that any user data or vendor data written to
instance-data.json gets redacted and is only available to root user.
Also, modify the permissions of cloud-init.log to be 640, so that
sensitive data leaked to the log isn't world readable.
Additionally, remove the logging of user data and vendor data to
cloud-init.log from the Vultr datasource.
This is based on upstream snapshot of 23.1.2 [(LP: #2013967)]
- d/cloud-init.postinst: postinst fixes for LP: #2013967
Redact sensitive keys from world-readable instance-data.json on upgrade.
Set perms 640 for /var/log/cloud-init.log on pkg upgrade.
Redact sensitive Vultr messages from /var/log/cloud-init.log
- (CVE-2023-1786)
-- James Falcon <email address hidden> Fri, 21 Apr 2023 14:21:43 -0500
