Publishing details

Published on 2023-04-25
Copied from ubuntu jammy in Private PPA for Ubuntu Security Team Collaboration by Mark Esler

Changelog

cloud-init (23.1.2-0ubuntu0~22.04.1) jammy; urgency=medium

  * SECURITY UPDATE: Make user/vendor data sensitive and remove log permissions
    Because user data and vendor data may contain sensitive information,
    this commit ensures that any user data or vendor data written to
    instance-data.json gets redacted and is only available to root user.

    Also, modify the permissions of cloud-init.log to be 640, so that
    sensitive data leaked to the log isn't world readable.
    Additionally, remove the logging of user data and vendor data to
    cloud-init.log from the Vultr datasource.

    This is based on upstream snapshot of 23.1.2 [(LP: #2013967)]

    - d/cloud-init.postinst: postinst fixes for LP: #2013967
      Redact sensitive keys from world-readable instance-data.json on upgrade.
      Set perms 640 for /var/log/cloud-init.log on pkg upgrade.
      Redact sensitive Vultr messages from /var/log/cloud-init.log
    - (CVE-2023-1786)

 -- James Falcon <email address hidden>  Thu, 20 Apr 2023 20:37:40 -0500

Available diffs

Builds

amd64

Built packages

cloud-init initialization and customization tool for cloud instances

Package files

cloud-init_23.1.2-0ubuntu0~22.04.1.debian.tar.xz (87.3 KiB)
cloud-init_23.1.2-0ubuntu0~22.04.1.dsc (2.2 KiB)
cloud-init_23.1.2-0ubuntu0~22.04.1_all.deb (518.5 KiB)
cloud-init_23.1.2.orig.tar.gz (1.5 MiB)