SUSE-SU-2023:2628-1: important: Security update for cloud-init
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Fri Jun 23 20:30:04 UTC 2023
# Security update for cloud-init
Announcement ID: SUSE-SU-2023:2628-1
Rating: important
References:
* #1171511
* #1203393
* #1210277
* #1210652
Cross-References:
* CVE-2022-2084
* CVE-2023-1786
CVSS scores:
* CVE-2022-2084 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-1786 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-1786 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products:
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* Public Cloud Module 15-SP2
* Public Cloud Module 15-SP1
* Public Cloud Module 15-SP3
* Public Cloud Module 15-SP4
* Public Cloud Module 15-SP5
* SUSE Linux Enterprise High Performance Computing 15 SP1
* SUSE Linux Enterprise High Performance Computing 15 SP2
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Server 15 SP1
* SUSE Linux Enterprise Server 15 SP2
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP1
* SUSE Linux Enterprise Server for SAP Applications 15 SP2
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Manager Proxy 4.0
* SUSE Manager Proxy 4.1
* SUSE Manager Proxy 4.2
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.0
* SUSE Manager Retail Branch Server 4.1
* SUSE Manager Retail Branch Server 4.2
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.0
* SUSE Manager Server 4.1
* SUSE Manager Server 4.2
* SUSE Manager Server 4.3
An update that solves two vulnerabilities and has two fixes can now be
installed.
## Description:
This update for cloud-init fixes the following issues:
* CVE-2023-1786: Do not expose sensitive data gathered from the CSP.
(bsc#1210277)
* CVE-2022-2084: Fixed a bug which caused logging schema failures can include
password hashes. (bsc#1210652)
* Update to version 23.1
* Support transactional-updates for SUSE based distros
* Set ownership for new folders in Write Files Module
* add OpenCloudOS and TencentOS support
* lxd: Retry if the server isn't ready
* test: switch pycloudlib source to pypi
* test: Fix integration test deprecation message
* Recognize opensuse-microos, dev tooling fixes
* sources/azure: refactor imds handler into own module
* docs: deprecation generation support
* add function is_virtual to distro/FreeBSD
* cc_ssh: support multiple hostcertificates
* Fix minor schema validation regression and fixup typing
* doc: Reword user data debug section
* cli: schema also validate vendordata*.
* ci: sort and add checks for cla signers file
* Add "ederst" as contributor
* readme: add reference to packages dir
* docs: update downstream package list
* docs: add google search verification
* docs: fix 404 render use default notfound_urls_prefix in RTD conf
* Fix OpenStack datasource detection on bare metal
* docs: add themed RTD 404 page and pointer to readthedocs-hosted
* schema: fix gpt labels, use type string for GUID
* cc_disk_setup: code cleanup
* netplan: keep custom strict perms when 50-cloud-init.yaml exists
* cloud-id: better handling of change in datasource files
* Warn on empty network key
* Fix Vultr cloud_interfaces usage
* cc_puppet: Update puppet service name
* docs: Clarify networking docs
* lint: remove httpretty
* cc_set_passwords: Prevent traceback when restarting ssh
* tests: fix lp1912844
* tests: Skip ansible test on bionic
* Wait for NetworkManager
* docs: minor polishing
* CI: migrate integration-test to GH actions
* Fix permission of SSH host keys
* Fix default route rendering on v2 ipv6
* doc: fix path in net_convert command
* docs: update net_convert docs
* doc: fix dead link
* cc_set_hostname: ignore /var/lib/cloud/data/set-hostname if it's empty
* distros/rhel.py: _read_hostname() missing strip on "hostname"
* integration tests: add IBM VPC support
* machine-id: set to uninitialized to trigger regeneration on clones
* sources/azure: retry on connection error when fetching metdata
* Ensure ssh state accurately obtained
* bddeb: drop dh-systemd dependency on newer deb-based releases
* doc: fix `config formats` link in cloudsigma.rst
* Fix wrong subp syntax in cc_set_passwords.py
* docs: update the PR template link to readthedocs
* ci: switch unittests to gh actions
* Add mount_default_fields for PhotonOS.
* sources/azure: minor refactor for metadata source detection logic
* add "CalvoM" as contributor
* ci: doc to gh actions
* lxd: handle 404 from missing devices route for LXD 4.0
* docs: Diataxis overhaul
* vultr: Fix issue regarding cache and region codes
* cc_set_passwords: Move ssh status checking later
* Improve Wireguard module idempotency
* network/netplan: add gateways as on-link when necessary
* tests: test_lxd assert features.networks.zones when present
* Use btrfs enquque when available (#1926) [Robert Schweikert]
* sources/azure: fix device driver matching for net config (#1914)
* BSD: fix duplicate macs in Ifconfig parser
* pycloudlib: add lunar support for integration tests
* nocloud: add support for dmi variable expansion for seedfrom URL
* tools: read-version drop extra call to git describe --long
* doc: improve cc_write_files doc
* read-version: When insufficient tags, use cloudinit.version.get_version
* mounts: document weird prefix in schema
* Ensure network ready before cloud-init service runs on RHEL
* docs: add copy button to code blocks
* netplan: define features.NETPLAN_CONFIG_ROOT_READ_ONLY flag
* azure: fix support for systems without az command installed
* Fix the distro.osfamily output problem in the openEuler system.
* pycloudlib: bump commit dropping azure api smoke test
* net: netplan config root read-only as wifi config can contain creds
* autoinstall: clarify docs for users
* sources/azure: encode health report as utf-8
* Add back gateway4/6 deprecation to docs
* networkd: Add support for multiple [Route] sections
* doc: add qemu tutorial
* lint: fix tip-flake8 and tip-mypy
* Add support for setting uid when creating users on FreeBSD
* Fix exception in BSD networking code-path
* Append derivatives to is_rhel list in cloud.cfg.tmpl
* FreeBSD init: use cloudinit_enable as only rcvar
* feat: add support aliyun metadata security harden mode
* docs: uprate analyze to performance page
* test: fix lxd preseed managed network config
* Add support for static IPv6 addresses for FreeBSD
* Make 3.12 failures not fail the build
* Docs: adding relative links
* Fix setup.py to align with PEP 440 versioning replacing trailing
* Add "nkukard" as contributor
* doc: add how to render new module doc
* doc: improve module creation explanation
* Add Support for IPv6 metadata to OpenStack
* add xiaoge1001 to .github-cla-signers
* network: Deprecate gateway{4,6} keys in network config v2
* VMware: Move Guest Customization transport from OVF to VMware
* doc: home page links added
* net: skip duplicate mac check for netvsc nic and its VF
This update for python-responses fixes the following issues:
* update to 0.21.0:
* Add `threading.Lock()` to allow `responses` working with `threading` module.
* Add `urllib3` `Retry` mechanism. See #135
* Removed internal `_cookies_from_headers` function
* Now `add`, `upsert`, `replace` methods return registered response. `remove`
method returns list of removed responses.
* Added null value support in `urlencoded_params_matcher` via `allow_blank`
keyword argument
* Added strict version of decorator. Now you can apply
`@responses.activate(assert_all_requests_are_fired=True)` to your function
to validate that all requests were executed in the wrapped function. See
#183
## Patch Instructions:
To install this SUSE Important update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2023-2628=1
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2023-2628=1
* Public Cloud Module 15-SP1
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2023-2628=1
* Public Cloud Module 15-SP2
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2023-2628=1
* Public Cloud Module 15-SP3
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2023-2628=1
* Public Cloud Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2023-2628=1
* Public Cloud Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2023-2628=1
## Package List:
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
* cloud-init-doc-23.1-150100.8.63.5
* cloud-init-23.1-150100.8.63.5
* cloud-init-config-suse-23.1-150100.8.63.5
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* cloud-init-doc-23.1-150100.8.63.5
* cloud-init-23.1-150100.8.63.5
* cloud-init-config-suse-23.1-150100.8.63.5
* Public Cloud Module 15-SP1 (aarch64 ppc64le s390x x86_64)
* cloud-init-23.1-150100.8.63.5
* cloud-init-config-suse-23.1-150100.8.63.5
* Public Cloud Module 15-SP2 (aarch64 ppc64le s390x x86_64)
* cloud-init-23.1-150100.8.63.5
* cloud-init-config-suse-23.1-150100.8.63.5
* Public Cloud Module 15-SP3 (aarch64 ppc64le s390x x86_64)
* cloud-init-23.1-150100.8.63.5
* cloud-init-config-suse-23.1-150100.8.63.5
* Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64)
* cloud-init-23.1-150100.8.63.5
* cloud-init-config-suse-23.1-150100.8.63.5
* Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* cloud-init-23.1-150100.8.63.5
* cloud-init-config-suse-23.1-150100.8.63.5
## References:
* https://www.suse.com/security/cve/CVE-2022-2084.html
* https://www.suse.com/security/cve/CVE-2023-1786.html
* https://bugzilla.suse.com/show_bug.cgi?id=1171511
* https://bugzilla.suse.com/show_bug.cgi?id=1203393
* https://bugzilla.suse.com/show_bug.cgi?id=1210277
* https://bugzilla.suse.com/show_bug.cgi?id=1210652
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20230623/bc0f39fb/attachment.htm>
More information about the sle-updates
mailing list