SUSE-SU-2023:2628-1: important: Security update for cloud-init

Fri Jun 23 20:30:04 UTC 2023

# Security update for cloud-init

Announcement ID: SUSE-SU-2023:2628-1  
Rating: important  
References:

  * #1171511
  * #1203393
  * #1210277
  * #1210652

Cross-References:

  * CVE-2022-2084
  * CVE-2023-1786

CVSS scores:

  * CVE-2022-2084 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  * CVE-2023-1786 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  * CVE-2023-1786 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products:

  * openSUSE Leap 15.4
  * openSUSE Leap 15.5
  * Public Cloud Module 15-SP2
  * Public Cloud Module 15-SP1
  * Public Cloud Module 15-SP3
  * Public Cloud Module 15-SP4
  * Public Cloud Module 15-SP5
  * SUSE Linux Enterprise High Performance Computing 15 SP1
  * SUSE Linux Enterprise High Performance Computing 15 SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP3
  * SUSE Linux Enterprise High Performance Computing 15 SP4
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise Server 15 SP1
  * SUSE Linux Enterprise Server 15 SP2
  * SUSE Linux Enterprise Server 15 SP3
  * SUSE Linux Enterprise Server 15 SP4
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5
  * SUSE Manager Proxy 4.0
  * SUSE Manager Proxy 4.1
  * SUSE Manager Proxy 4.2
  * SUSE Manager Proxy 4.3
  * SUSE Manager Retail Branch Server 4.0
  * SUSE Manager Retail Branch Server 4.1
  * SUSE Manager Retail Branch Server 4.2
  * SUSE Manager Retail Branch Server 4.3
  * SUSE Manager Server 4.0
  * SUSE Manager Server 4.1
  * SUSE Manager Server 4.2
  * SUSE Manager Server 4.3

An update that solves two vulnerabilities and has two fixes can now be
installed.

## Description:

This update for cloud-init fixes the following issues:

  * CVE-2023-1786: Do not expose sensitive data gathered from the CSP.
    (bsc#1210277)
  * CVE-2022-2084: Fixed a bug which caused logging schema failures can include
    password hashes. (bsc#1210652)

  * Update to version 23.1

  * Support transactional-updates for SUSE based distros

  * Set ownership for new folders in Write Files Module
  * add OpenCloudOS and TencentOS support
  * lxd: Retry if the server isn't ready
  * test: switch pycloudlib source to pypi
  * test: Fix integration test deprecation message
  * Recognize opensuse-microos, dev tooling fixes
  * sources/azure: refactor imds handler into own module
  * docs: deprecation generation support
  * add function is_virtual to distro/FreeBSD
  * cc_ssh: support multiple hostcertificates
  * Fix minor schema validation regression and fixup typing
  * doc: Reword user data debug section
  * cli: schema also validate vendordata*.
  * ci: sort and add checks for cla signers file
  * Add "ederst" as contributor
  * readme: add reference to packages dir
  * docs: update downstream package list
  * docs: add google search verification
  * docs: fix 404 render use default notfound_urls_prefix in RTD conf
  * Fix OpenStack datasource detection on bare metal
  * docs: add themed RTD 404 page and pointer to readthedocs-hosted
  * schema: fix gpt labels, use type string for GUID
  * cc_disk_setup: code cleanup
  * netplan: keep custom strict perms when 50-cloud-init.yaml exists
  * cloud-id: better handling of change in datasource files
  * Warn on empty network key
  * Fix Vultr cloud_interfaces usage
  * cc_puppet: Update puppet service name
  * docs: Clarify networking docs
  * lint: remove httpretty
  * cc_set_passwords: Prevent traceback when restarting ssh
  * tests: fix lp1912844
  * tests: Skip ansible test on bionic
  * Wait for NetworkManager
  * docs: minor polishing
  * CI: migrate integration-test to GH actions
  * Fix permission of SSH host keys
  * Fix default route rendering on v2 ipv6
  * doc: fix path in net_convert command
  * docs: update net_convert docs
  * doc: fix dead link
  * cc_set_hostname: ignore /var/lib/cloud/data/set-hostname if it's empty
  * distros/rhel.py: _read_hostname() missing strip on "hostname"
  * integration tests: add IBM VPC support
  * machine-id: set to uninitialized to trigger regeneration on clones
  * sources/azure: retry on connection error when fetching metdata
  * Ensure ssh state accurately obtained
  * bddeb: drop dh-systemd dependency on newer deb-based releases
  * doc: fix `config formats` link in cloudsigma.rst
  * Fix wrong subp syntax in cc_set_passwords.py
  * docs: update the PR template link to readthedocs
  * ci: switch unittests to gh actions
  * Add mount_default_fields for PhotonOS.
  * sources/azure: minor refactor for metadata source detection logic
  * add "CalvoM" as contributor
  * ci: doc to gh actions
  * lxd: handle 404 from missing devices route for LXD 4.0
  * docs: Diataxis overhaul
  * vultr: Fix issue regarding cache and region codes
  * cc_set_passwords: Move ssh status checking later
  * Improve Wireguard module idempotency
  * network/netplan: add gateways as on-link when necessary
  * tests: test_lxd assert features.networks.zones when present
  * Use btrfs enquque when available (#1926) [Robert Schweikert]
  * sources/azure: fix device driver matching for net config (#1914)
  * BSD: fix duplicate macs in Ifconfig parser
  * pycloudlib: add lunar support for integration tests
  * nocloud: add support for dmi variable expansion for seedfrom URL
  * tools: read-version drop extra call to git describe --long
  * doc: improve cc_write_files doc
  * read-version: When insufficient tags, use cloudinit.version.get_version
  * mounts: document weird prefix in schema
  * Ensure network ready before cloud-init service runs on RHEL
  * docs: add copy button to code blocks
  * netplan: define features.NETPLAN_CONFIG_ROOT_READ_ONLY flag
  * azure: fix support for systems without az command installed
  * Fix the distro.osfamily output problem in the openEuler system.
  * pycloudlib: bump commit dropping azure api smoke test
  * net: netplan config root read-only as wifi config can contain creds
  * autoinstall: clarify docs for users
  * sources/azure: encode health report as utf-8
  * Add back gateway4/6 deprecation to docs
  * networkd: Add support for multiple [Route] sections
  * doc: add qemu tutorial
  * lint: fix tip-flake8 and tip-mypy
  * Add support for setting uid when creating users on FreeBSD
  * Fix exception in BSD networking code-path
  * Append derivatives to is_rhel list in cloud.cfg.tmpl
  * FreeBSD init: use cloudinit_enable as only rcvar
  * feat: add support aliyun metadata security harden mode
  * docs: uprate analyze to performance page
  * test: fix lxd preseed managed network config
  * Add support for static IPv6 addresses for FreeBSD
  * Make 3.12 failures not fail the build
  * Docs: adding relative links
  * Fix setup.py to align with PEP 440 versioning replacing trailing
  * Add "nkukard" as contributor
  * doc: add how to render new module doc
  * doc: improve module creation explanation
  * Add Support for IPv6 metadata to OpenStack
  * add xiaoge1001 to .github-cla-signers
  * network: Deprecate gateway{4,6} keys in network config v2
  * VMware: Move Guest Customization transport from OVF to VMware
  * doc: home page links added
  * net: skip duplicate mac check for netvsc nic and its VF

This update for python-responses fixes the following issues:

  * update to 0.21.0:
  * Add `threading.Lock()` to allow `responses` working with `threading` module.
  * Add `urllib3` `Retry` mechanism. See #135
  * Removed internal `_cookies_from_headers` function
  * Now `add`, `upsert`, `replace` methods return registered response. `remove`
    method returns list of removed responses.
  * Added null value support in `urlencoded_params_matcher` via `allow_blank`
    keyword argument
  * Added strict version of decorator. Now you can apply
    `@responses.activate(assert_all_requests_are_fired=True)` to your function
    to validate that all requests were executed in the wrapped function. See
    #183

## Patch Instructions:

To install this SUSE Important update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.4  
    zypper in -t patch openSUSE-SLE-15.4-2023-2628=1

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2023-2628=1

  * Public Cloud Module 15-SP1  
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2023-2628=1

  * Public Cloud Module 15-SP2  
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2023-2628=1

  * Public Cloud Module 15-SP3  
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2023-2628=1

  * Public Cloud Module 15-SP4  
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2023-2628=1

  * Public Cloud Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2023-2628=1

## Package List:

  * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
    * cloud-init-doc-23.1-150100.8.63.5
    * cloud-init-23.1-150100.8.63.5
    * cloud-init-config-suse-23.1-150100.8.63.5
  * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    * cloud-init-doc-23.1-150100.8.63.5
    * cloud-init-23.1-150100.8.63.5
    * cloud-init-config-suse-23.1-150100.8.63.5
  * Public Cloud Module 15-SP1 (aarch64 ppc64le s390x x86_64)
    * cloud-init-23.1-150100.8.63.5
    * cloud-init-config-suse-23.1-150100.8.63.5
  * Public Cloud Module 15-SP2 (aarch64 ppc64le s390x x86_64)
    * cloud-init-23.1-150100.8.63.5
    * cloud-init-config-suse-23.1-150100.8.63.5
  * Public Cloud Module 15-SP3 (aarch64 ppc64le s390x x86_64)
    * cloud-init-23.1-150100.8.63.5
    * cloud-init-config-suse-23.1-150100.8.63.5
  * Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64)
    * cloud-init-23.1-150100.8.63.5
    * cloud-init-config-suse-23.1-150100.8.63.5
  * Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    * cloud-init-23.1-150100.8.63.5
    * cloud-init-config-suse-23.1-150100.8.63.5

## References:

  * https://www.suse.com/security/cve/CVE-2022-2084.html
  * https://www.suse.com/security/cve/CVE-2023-1786.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1171511
  * https://bugzilla.suse.com/show_bug.cgi?id=1203393
  * https://bugzilla.suse.com/show_bug.cgi?id=1210277
  * https://bugzilla.suse.com/show_bug.cgi?id=1210652

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20230623/b7faadca/attachment.htm>