cloud-init-19.4-7.el7

エラータID: AXSA:2020-607:04

Release date: 
Wednesday, October 7, 2020 - 04:56
Subject: 
cloud-init-19.4-7.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install SSH keys, and to let the user run various scripts.

The following packages have been upgraded to a later upstream version: cloud-init (19.4).

Security Fix(es):

* cloud-init: Use of random.choice when generating random password (CVE-2020-8631)

* cloud-init: Too short random password length in cc_set_password in config/cc_set_passwords.py (CVE-2020-8632)

* cloud-init: default configuration disabled deletion of SSH host keys (CVE-2018-10896)

CVE-2018-10896
The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks.
CVE-2020-8631
cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.
CVE-2020-8632
In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. cloud-init-19.4-7.el7.src.rpm
    MD5: 11dc7c6f965e35c9400321b50b7669c1
    SHA-256: bbc010b9f30a07b9f8b309787d8d8bf82fb4dc7fb12b4498d7add58c9615084d
    Size: 1.09 MB

Asianux Server 7 for x86_64
  1. cloud-init-19.4-7.el7.x86_64.rpm
    MD5: c5190cc595d5f1efd27c2d708d8d1d7e
    SHA-256: ed10441ce5b8d81330ffc5da489ea0416df3456516853da3748014246cbf7dde
    Size: 929.46 kB