SUSE-SU-2024:0128-1: moderate: Security update for cloud-init
SLE-SECURITY-UPDATES
null at suse.de
Wed Jan 17 08:30:01 UTC 2024
# Security update for cloud-init
Announcement ID: SUSE-SU-2024:0128-1
Rating: moderate
References:
* bsc#1198269
* bsc#1201010
* bsc#1214169
* bsc#1215740
* bsc#1215794
* bsc#1216007
* bsc#1216011
Cross-References:
* CVE-2023-1786
CVSS scores:
* CVE-2023-1786 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-1786 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products:
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* Public Cloud Module 15-SP2
* Public Cloud Module 15-SP1
* Public Cloud Module 15-SP3
* Public Cloud Module 15-SP4
* Public Cloud Module 15-SP5
* SUSE Linux Enterprise High Performance Computing 15 SP1
* SUSE Linux Enterprise High Performance Computing 15 SP2
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Server 15 SP1
* SUSE Linux Enterprise Server 15 SP2
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP1
* SUSE Linux Enterprise Server for SAP Applications 15 SP2
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Manager Proxy 4.0
* SUSE Manager Proxy 4.1
* SUSE Manager Proxy 4.2
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.0
* SUSE Manager Retail Branch Server 4.1
* SUSE Manager Retail Branch Server 4.2
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.0
* SUSE Manager Server 4.1
* SUSE Manager Server 4.2
* SUSE Manager Server 4.3
An update that solves one vulnerability and has six security fixes can now be
installed.
## Description:
This update for cloud-init contains the following fixes:
* Move fdupes call back to %install.(bsc#1214169)
* Update to version 23.3. (bsc#1216011)
* (bsc#1215794)
* (bsc#1215740)
* (bsc#1216007)
* Bump pycloudlib to 1!5.1.0 for ec2 mantic daily image support (#4390)
* Fix cc_keyboard in mantic (LP: #2030788)
* ec2: initialize get_instance_userdata return value to bytes (#4387) [Noah
Meyerhans]
* cc_users_groups: Add doas/opendoas support (#4363) [dermotbradley]
* Fix pip-managed ansible
* status: treat SubState=running and MainPID=0 as service exited
* azure/imds: increase read-timeout to 30s (#4372) [Chris Patterson]
* collect-logs fix memory usage (SC-1590) (#4289) [Alec Warren] (LP: #1980150)
* cc_mounts: Use fallocate to create swapfile on btrfs (#4369)
* Undocument nocloud-net (#4318)
* feat(akamai): add akamai to settings.py and apport.py (#4370)
* read-version: fallback to get_version when git describe fails (#4366)
* apt: fix cloud-init status --wait blocking on systemd v 253 (#4364)
* integration tests: Pass username to pycloudlib (#4324)
* Bump pycloudlib to 1!5.1.0 (#4353)
* cloud.cfg.tmpl: reorganise, minimise/reduce duplication (#4272)
[dermotbradley]
* analyze: fix (unexpected) timestamp parsing (#4347) [Mina Galić]
* cc_growpart: fix tests to run on FreeBSD (#4351) [Mina Galić]
* subp: Fix spurious test failure on FreeBSD (#4355) [Mina Galić]
* cmd/clean: fix tests on non-Linux platforms (#4352) [Mina Galić]
* util: Fix get_proc_ppid() on non-Linux systems (#4348) [Mina Galić]
* cc_wireguard: make tests pass on FreeBSD (#4346) [Mina Galić]
* unittests: fix breakage in test_read_cfg_paths_fetches_cached_datasource
(#4328) [Ani Sinha]
* Fix test_tools.py collection (#4315)
* cc_keyboard: add Alpine support (#4278) [dermotbradley]
* Flake8 fixes (#4340) [Robert Schweikert]
* cc_mounts: Fix swapfile not working on btrfs (#4319) [王煎饼] (LP: #1884127)
* ds-identify/CloudStack: $DS_MAYBE if vm running on vmware/xen (#4281) [Wei
Zhou]
* ec2: Support double encoded userdata (#4275) [Noah Meyerhans]
* cc_mounts: xfs is a Linux only FS (#4334) [Mina Galić]
* tests/net: fix TestGetInterfaces' mock coverage for get_master (#4336)
[Chris Patterson]
* change openEuler to openeuler and fix some bugs in openEuler (#4317)
[sxt1001]
* Replace flake8 with ruff (#4314)
* NM renderer: set default IPv6 addr-gen-mode for all interfaces to eui64
(#4291) [Ani Sinha]
* cc_ssh_import_id: add Alpine support and add doas support (#4277)
[dermotbradley]
* sudoers not idempotent (SC-1589) (#4296) [Alec Warren] (LP: #1998539)
* Added support for Akamai Connected Cloud (formerly Linode) (#4167) [Will
Smith]
* Fix reference before assignment (#4292)
* Overhaul module reference page (#4237) [Sally]
* replaced spaces with commas for setting passenv (#4269) [Alec Warren]
* DS VMware: modify a few log level (#4284) [PengpengSun]
* tools/read-version refactors and unit tests (#4268)
* Ensure get_features() grabs all features (#4285)
* Don't always require passlib dependency (#4274)
* tests: avoid leaks into host system checking of ovs-vsctl cmd (#4275)
* Fix NoCloud kernel commandline key parsing (#4273)
* testing: Clear all LRU caches after each test (#4249)
* Remove the crypt dependency (#2139) [Gonéri Le Bouder]
* logging: keep current file mode of log file if its stricter than the new
mode (#4250) [Ani Sinha]
* Remove default membership in redundant groups (#4258) [Dave Jones] (LP:
#1923363)
* doc: improve datasource_creation.rst (#4262)
* Remove duplicate Integration testing button (#4261) [Rishita Shaw]
* tools/read-version: fix the tool so that it can handle version parsing
errors (#4234) [Ani Sinha]
* net/dhcp: add udhcpc support (#4190) [Jean-François Roche]
* DS VMware: add i386 arch dir to deployPkg plugin search path [PengpengSun]
* LXD moved from linuxcontainers.org to Canonical [Simon Deziel]
* cc_mounts.py: Add note about issue with creating mounts inside mounts
(#4232) [dermotbradley]
* lxd: install lxd from snap, not deb if absent in image
* landscape: use landscape-config to write configuration
* Add deprecation log during init of DataSourceDigitalOcean (#4194) [tyb-
truth]
* doc: fix typo on apt.primary.arches (#4238) [Dan Bungert]
* Inspect systemd state for cloud-init status (#4230)
* instance-data: add system-info and features to combined-cloud-config (#4224)
* systemd: Block login until config stage completes (#2111) (LP: #2013403)
* tests: proposed should invoke apt-get install -t=<release>-proposed (#4235)
* cloud.cfg.tmpl: reinstate ca_certs entry (#4236) [dermotbradley]
* Remove feature flag override ability (#4228)
* tests: drop stray unrelated file presence test (#4227)
* Update LXD URL (#4223) [Sally]
* schema: add network v1 schema definition and validation functions
* tests: daily PPA for devel series is version 99.daily update tests to match
(#4225)
* instance-data: write /run/cloud-init/combined-cloud-config.json
* mount parse: Fix matching non-existent directories (#4222) [Mina Galić]
* Specify build-system for pep517 (#4218)
* Fix network v2 metric rendering (#4220)
* Migrate content out of FAQ page (SD-1187) (#4205) [Sally]
* setup: fix generation of init templates (#4209) [Mina Galić]
* docs: Correct some bootcmd example wording
* fix changelog
* tests: reboot client to assert x-shellscript-per-boot is triggered
* nocloud: parse_cmdline no longer detects nocloud-net datasource (#4204) (LP:
4203, #2025180)
* Add docstring and typing to mergemanydict (#4200)
* BSD: add dsidentify to early startup scripts (#4182) [Mina Galić]
* handler: report errors on skipped merged cloud-config.txt parts (LP:
#1999952)
* Add cloud-init summit writeups (#4179) [Sally]
* tests: Update test_clean_log for oci (#4187)
* gce: improve ephemeral fallback NIC selection (CPC-2578) (#4163)
* tests: pin pytest 7.3.1 to avoid adverse testpaths behavior (#4184)
* Ephemeral Networking for FreeBSD (#2165) [Mina Galić]
* Clarify directory syntax for nocloud local filesystem. (#4178)
* Set default renderer as sysconfig for centos/rhel (#4165) [Ani Sinha]
* Test static routes and netplan 0.106
* FreeBSD fix parsing of mount and mount options (#2146) [Mina Galić]
* test: add tracking bug id (#4164)
* tests: can't match MAC for LXD container veth due to netplan 0.106 (#4162)
* Add kaiwalyakoparkar as a contributor (#4156) [Kaiwalya Koparkar]
* BSD: remove datasource_list from cloud.cfg template (#4159) [Mina Galić]
* launching salt-minion in masterless mode (#4110) [Denis Halturin]
* tools: fix run-container builds for rockylinux/8 git hash mismatch (#4161)
* fix doc lint: spellchecker tripped up (#4160) [Mina Galić]
* Support Ephemeral Networking for BSD (#2127)
* Added / fixed support for static routes on OpenBSD and FreeBSD (#2157)
[Kadir Mueller]
* cc_rsyslog: Refactor for better multi-platform support (#4119) [Mina Galić]
(LP: #1798055)
* tests: fix test_lp1835584 (#4154)
* cloud.cfg mod names: docs and rename salt_minion and set_password (#4153)
* vultr: remove check_route check (#2151) [Jonas Chevalier]
* Update SECURITY.md (#4150) [Indrranil Pawar]
* Update CONTRIBUTING.rst (#4149) [Indrranil Pawar]
* Update .github-cla-signers (#4151) [Indrranil Pawar]
* Standardise module names in cloud.cfg.tmpl to only use underscore (#4128)
[dermotbradley]
* Modify PR template so autoclose works From 23.2.2
* Fix NoCloud kernel commandline key parsing (#4273) (Fixes: #4271) (LP:
#2028562)
* Fix reference before assignment (#4292) (Fixes: #4288) (LP: #2028784) From
23.2.1
* nocloud: Fix parse_cmdline detection of nocloud-net datasource (#4204)
(Fixes: 4203) (LP: #2025180) From 23.2
* BSD: simplify finding MBR partitions by removing duplicate code [Mina Galić]
* tests: bump pycloudlib version for mantic builds
* network-manager: Set higher autoconnect priority for nm keyfiles (#3671)
[Ani Sinha]
* alpine.py: change the locale file used (#4139) [dermotbradley]
* cc_ntp: Sync up with current FreeBSD ntp.conf (#4122) [Mina Galić]
* config: drop refresh_rmc_and_interface as RHEL 7 no longer supported [Robert
Schweikert]
* docs: Add feedback button to docs
* net/sysconfig: enable sysconfig renderer if network manager has ifcfg-rh
plugin (#4132) [Ani Sinha]
* For Alpine use os-release PRETTY_NAME (#4138) [dermotbradley]
* network_manager: add a method for ipv6 static IP configuration (#4127) [Ani
Sinha]
* correct misnamed template file host.mariner.tmpl (#4124) [dermotbradley]
* nm: generate ipv6 stateful dhcp config at par with sysconfig (#4115) [Ani
Sinha]
* Add templates for GitHub Issues
* Add 'peers' and 'allow' directives in cc_ntp (#3124) [Jacob Salmela]
* FreeBSD: Fix user account locking (#4114) [Mina Galić] (GH: #1854594)
* FreeBSD: add ResizeGrowFS class to cc_growpart (#2334) [Mina Galić]
* Update tests in Azure TestCanDevBeReformatted class (#2771) [Ksenija
Stanojevic]
* Replace Launchpad references with GitHub Issues
* Fix KeyError in iproute pformat (#3287) [Dmitry Zykov]
* schema: read_cfg_paths call init.fetch to lookup /v/l/c/instance
* azure/errors: introduce reportable errors for imds (#3647) [Chris Patterson]
* FreeBSD (and friends): better identify MBR slices (#2168) [Mina Galić] (LP:
#2016350)
* azure/errors: add host reporting for dhcp errors (#2167) [Chris Patterson]
* net: purge blacklist_drivers across net and azure (#2160) [Chris Patterson]
* net: refactor hyper-v VF filtering and apply to get_interfaces() (#2153)
[Chris Patterson]
* tests: avoid leaks to underlying filesystem for /etc/cloud/clean.d (#2251)
* net: refactor find_candidate_nics_on_linux() to use get_interfaces() (#2159)
[Chris Patterson]
* resolv_conf: Allow > 3 nameservers (#2152) [Major Hayden]
* Remove mount NTFS error message (#2134) [Ksenija Stanojevic]
* integration tests: fix image specification parsing (#2166)
* ci: add hypothesis scheduled GH check (#2149)
* Move supported distros list to docs (#2162)
* Fix logger, use instance rather than module function (#2163)
* README: Point to Github Actions build status (#2158)
* Revert "fix linux-specific code on bsd (#2143)" (#2161)
* Do not generate dsa and ed25519 key types when crypto FIPS mode is enabled
(#2142) [Ani Sinha] (LP: 2017761)
* Add documentation label automatically (#2156)
* sources/azure: report success to host and introduce kvp module (#2141)
[Chris Patterson]
* setup.py: use pkg-config for udev/rules path (#2137) [dankm]
* openstack/static: honor the DNS servers associated with a network (#2138)
[Gonéri Le Bouder]
* fix linux-specific code on bsd (#2143)
* cli: schema validation of jinja template user-data (SC-1385) (#2132) (LP:
#1881925)
* gce: activate network discovery on every boot (#2128)
* tests: update integration test to assert 640 across reboots (#2145)
* Make user/vendor data sensitive and remove log permissions (#2144) (LP:
#2013967)
* Update kernel command line docs (SC-1457) (#2133)
* docs: update network configuration path links (#2140) [d1r3ct0r]
* sources/azure: report failures to host via kvp (#2136) [Chris Patterson]
* net: Document use of `ip route append` to add routes (#2130)
* dhcp: Add missing mocks (#2135)
* azure/imds: retry fetching metadata up to 300 seconds (#2121) [Chris
Patterson]
* [1/2] DHCP: Refactor dhcp client code (#2122)
* azure/errors: treat traceback_base64 as string (#2131) [Chris Patterson]
* azure/errors: introduce reportable errors (#2129) [Chris Patterson]
* users: schema permit empty list to indicate create no users
* azure: introduce identity module (#2116) [Chris Patterson]
* Standardize disabling cloud-init on non-systemd (#2112)
* Update .github-cla-signers (#2126) [Rob Tongue]
* NoCloud: Use seedfrom protocol to determine mode (#2107)
* rhel: Remove sysvinit files. (#2114)
* tox.ini: set -vvvv --showlocals for pytest (#2104) [Chris Patterson]
* Fix NoCloud kernel commandline semi-colon args
* run-container: make the container/VM timeout configurable (#2118) [Paride
Legovini]
* suse: Remove sysvinit files. (#2115)
* test: Backport assert_call_count for old requests (#2119)
* Add "licebmi" as contributor (#2113) [Mark Martinez]
* Adapt DataSourceScaleway to upcoming IPv6 support (#2033) [Louis Bouchard]
* rhel: make sure previous-hostname file ends with a new line (#2108) [Ani
Sinha]
* Adding contributors for DataSourceAkamai (#2110) [acourdavAkamai]
* Cleanup ephemeral IP routes on exception (#2100) [sxt1001]
* commit 09a64badfb3f51b1b391fa29be19962381a4bbeb [sxt1001] (LP: #2011291)
* Standardize kernel commandline user interface (#2093)
* config/cc_resizefs: fix do_resize arguments (#2106) [Chris Patterson]
* Fix test_dhclient_exits_with_error (#2105)
* net/dhcp: catch dhclient failures and raise NoDHCPLeaseError (#2083) [Chris
Patterson]
* sources/azure: move pps handling out of _poll_imds() (#2075) [Chris
Patterson]
* tests: bump pycloudlib version (#2102)
* schema: do not manipulate draft4 metaschema for jsonschema 2.6.0 (#2098)
* sources/azure/imds: don't count timeout errors as connection errors (#2074)
[Chris Patterson]
* Fix Python 3.12 unit test failures (#2099)
* integration tests: Refactor instance checking (#1989)
* ci: migrate remaining jobs from travis to gh (#2085)
* missing ending quote in instancedata docs(#2094) [Hong L]
* refactor: stop passing log instances to cc_* handlers (#2016) [d1r3ct0r]
* tests/vmware: fix test_no_data_access_method failure (#2092) [Chris
Patterson]
* Don't change permissions of netrules target (#2076) (LP: #2011783)
* tests/sources: patch util.get_cmdline() for datasource tests (#2091) [Chris
Patterson]
* macs: ignore duplicate MAC for devs with driver driver qmi_wwan (#2090) (LP:
#2008888)
* Fedora: Enable CA handling (#2086) [František Zatloukal]
* Send dhcp-client-identifier for InfiniBand ports (#2043) [Waleed Mousa]
* cc_ansible: complete the examples and doc (#2082) [Yves]
* bddeb: for dev package, derive debhelper-compat from host system
* apport: only prompt for cloud_name when instance-data.json is absent
* datasource: Optimize datasource detection, fix bugs (#2060)
* Handle non existent ca-cert-config situation (#2073) [Shreenidhi Shedi]
* sources/azure: add networking check for all source PPS (#2061) [Chris
Patterson]
* do not attempt dns resolution on ip addresses (#2040)
* chore: fix style tip (#2071)
* Fix metadata IP in instancedata.rst (#2063) [Brian Haley]
* util: Pass deprecation schedule in deprecate_call() (#2064)
* config: Update grub-dpkg docs (#2058)
* docs: Cosmetic improvements and styling (#2057) [s-makin]
* cc_grub_dpkg: Added UEFI support (#2029) [Alexander Birkner]
* tests: Write to /var/spool/rsyslog to adhere to apparmor profile (#2059)
* oracle-ds: prefer system_cfg over ds network config source (#1998) (LP:
#1956788)
* Remove dead code (#2038)
* source: Force OpenStack when it is only option (#2045) (LP: #2008727)
* cc_ubuntu_advantage: improve UA logs discovery
* sources/azure: fix regressions in IMDS behavior (#2041) [Chris Patterson]
* tests: fix test_schema (#2042)
* dhcp: Cleanup unused kwarg (#2037)
* sources/vmware/imc: fix-missing-catch-few-negtive-scenarios (#2027)
[PengpengSun]
* dhclient_hook: remove vestigal dhclient_hook command (#2015)
* log: Add standardized deprecation tooling (SC-1312) (#2026)
* Enable SUSE based distros for ca handling (#2036) [Robert Schweikert] From
23.1.2
* Make user/vendor data sensitive and remove log permissions (LP: #2013967)
(CVE-2023-1786)
* Remove six dependency (bsc#1198269)
* Update to version 22.4 (bsc#1201010)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2024-128=1
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-128=1
* Public Cloud Module 15-SP1
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2024-128=1
* Public Cloud Module 15-SP2
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2024-128=1
* Public Cloud Module 15-SP3
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2024-128=1
* Public Cloud Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2024-128=1
* Public Cloud Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2024-128=1
## Package List:
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
* cloud-init-doc-23.3-150100.8.71.1
* cloud-init-23.3-150100.8.71.1
* cloud-init-config-suse-23.3-150100.8.71.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* cloud-init-doc-23.3-150100.8.71.1
* cloud-init-23.3-150100.8.71.1
* cloud-init-config-suse-23.3-150100.8.71.1
* Public Cloud Module 15-SP1 (aarch64 ppc64le s390x x86_64)
* cloud-init-23.3-150100.8.71.1
* cloud-init-config-suse-23.3-150100.8.71.1
* Public Cloud Module 15-SP2 (aarch64 ppc64le s390x x86_64)
* cloud-init-23.3-150100.8.71.1
* cloud-init-config-suse-23.3-150100.8.71.1
* Public Cloud Module 15-SP3 (aarch64 ppc64le s390x x86_64)
* cloud-init-23.3-150100.8.71.1
* cloud-init-config-suse-23.3-150100.8.71.1
* Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64)
* cloud-init-23.3-150100.8.71.1
* cloud-init-config-suse-23.3-150100.8.71.1
* Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* cloud-init-23.3-150100.8.71.1
* cloud-init-config-suse-23.3-150100.8.71.1
## References:
* https://www.suse.com/security/cve/CVE-2023-1786.html
* https://bugzilla.suse.com/show_bug.cgi?id=1198269
* https://bugzilla.suse.com/show_bug.cgi?id=1201010
* https://bugzilla.suse.com/show_bug.cgi?id=1214169
* https://bugzilla.suse.com/show_bug.cgi?id=1215740
* https://bugzilla.suse.com/show_bug.cgi?id=1215794
* https://bugzilla.suse.com/show_bug.cgi?id=1216007
* https://bugzilla.suse.com/show_bug.cgi?id=1216011
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20240117/67c191c7/attachment.htm>
More information about the sle-security-updates
mailing list