<div class="container">
<h1>Security update for cloud-init</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2023:2628-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1171511">#1171511</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1203393">#1203393</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1210277">#1210277</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1210652">#1210652</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2022-2084.html">CVE-2022-2084</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-1786.html">CVE-2023-1786</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-2084</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.5</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-1786</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.5</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-1786</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.5</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">openSUSE Leap 15.4</li>
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">Public Cloud Module 15-SP2</li>
<li class="list-group-item">Public Cloud Module 15-SP1</li>
<li class="list-group-item">Public Cloud Module 15-SP3</li>
<li class="list-group-item">Public Cloud Module 15-SP4</li>
<li class="list-group-item">Public Cloud Module 15-SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP1</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP2</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP1</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP2</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP1</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP2</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
<li class="list-group-item">SUSE Manager Proxy 4.0</li>
<li class="list-group-item">SUSE Manager Proxy 4.1</li>
<li class="list-group-item">SUSE Manager Proxy 4.2</li>
<li class="list-group-item">SUSE Manager Proxy 4.3</li>
<li class="list-group-item">SUSE Manager Retail Branch Server 4.0</li>
<li class="list-group-item">SUSE Manager Retail Branch Server 4.1</li>
<li class="list-group-item">SUSE Manager Retail Branch Server 4.2</li>
<li class="list-group-item">SUSE Manager Retail Branch Server 4.3</li>
<li class="list-group-item">SUSE Manager Server 4.0</li>
<li class="list-group-item">SUSE Manager Server 4.1</li>
<li class="list-group-item">SUSE Manager Server 4.2</li>
<li class="list-group-item">SUSE Manager Server 4.3</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities and has two fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for cloud-init fixes the following issues:</p>
<ul>
<li>CVE-2023-1786: Do not expose sensitive data gathered from the CSP. (bsc#1210277)</li>
<li>
<p>CVE-2022-2084: Fixed a bug which caused logging schema failures can include password hashes. (bsc#1210652)</p>
</li>
<li>
<p>Update to version 23.1</p>
</li>
<li>
<p>Support transactional-updates for SUSE based distros</p>
</li>
<li>Set ownership for new folders in Write Files Module</li>
<li>add OpenCloudOS and TencentOS support</li>
<li>lxd: Retry if the server isn't ready </li>
<li>test: switch pycloudlib source to pypi </li>
<li>test: Fix integration test deprecation message </li>
<li>Recognize opensuse-microos, dev tooling fixes </li>
<li>sources/azure: refactor imds handler into own module </li>
<li>docs: deprecation generation support </li>
<li>add function is_virtual to distro/FreeBSD</li>
<li>cc_ssh: support multiple hostcertificates </li>
<li>Fix minor schema validation regression and fixup typing </li>
<li>doc: Reword user data debug section </li>
<li>cli: schema also validate vendordata*.</li>
<li>ci: sort and add checks for cla signers file </li>
<li>Add "ederst" as contributor</li>
<li>readme: add reference to packages dir </li>
<li>docs: update downstream package list </li>
<li>docs: add google search verification </li>
<li>docs: fix 404 render use default notfound_urls_prefix in RTD conf</li>
<li>Fix OpenStack datasource detection on bare metal</li>
<li>docs: add themed RTD 404 page and pointer to readthedocs-hosted </li>
<li>schema: fix gpt labels, use type string for GUID </li>
<li>cc_disk_setup: code cleanup </li>
<li>netplan: keep custom strict perms when 50-cloud-init.yaml exists</li>
<li>cloud-id: better handling of change in datasource files</li>
<li>Warn on empty network key </li>
<li>Fix Vultr cloud_interfaces usage </li>
<li>cc_puppet: Update puppet service name </li>
<li>docs: Clarify networking docs </li>
<li>lint: remove httpretty </li>
<li>cc_set_passwords: Prevent traceback when restarting ssh </li>
<li>tests: fix lp1912844 </li>
<li>tests: Skip ansible test on bionic </li>
<li>Wait for NetworkManager </li>
<li>docs: minor polishing </li>
<li>CI: migrate integration-test to GH actions </li>
<li>Fix permission of SSH host keys </li>
<li>Fix default route rendering on v2 ipv6</li>
<li>doc: fix path in net_convert command </li>
<li>docs: update net_convert docs</li>
<li>doc: fix dead link</li>
<li>cc_set_hostname: ignore /var/lib/cloud/data/set-hostname if it's empty</li>
<li>distros/rhel.py: _read_hostname() missing strip on "hostname"</li>
<li>integration tests: add IBM VPC support </li>
<li>machine-id: set to uninitialized to trigger regeneration on clones</li>
<li>sources/azure: retry on connection error when fetching metdata </li>
<li>Ensure ssh state accurately obtained </li>
<li>bddeb: drop dh-systemd dependency on newer deb-based releases </li>
<li>doc: fix <code>config formats</code> link in cloudsigma.rst </li>
<li>Fix wrong subp syntax in cc_set_passwords.py </li>
<li>docs: update the PR template link to readthedocs </li>
<li>ci: switch unittests to gh actions</li>
<li>Add mount_default_fields for PhotonOS. </li>
<li>sources/azure: minor refactor for metadata source detection logic</li>
<li>add "CalvoM" as contributor </li>
<li>ci: doc to gh actions </li>
<li>lxd: handle 404 from missing devices route for LXD 4.0 </li>
<li>docs: Diataxis overhaul </li>
<li>vultr: Fix issue regarding cache and region codes </li>
<li>cc_set_passwords: Move ssh status checking later </li>
<li>Improve Wireguard module idempotency </li>
<li>network/netplan: add gateways as on-link when necessary </li>
<li>tests: test_lxd assert features.networks.zones when present </li>
<li>Use btrfs enquque when available (#1926) [Robert Schweikert]</li>
<li>sources/azure: fix device driver matching for net config (#1914)</li>
<li>BSD: fix duplicate macs in Ifconfig parser </li>
<li>pycloudlib: add lunar support for integration tests </li>
<li>nocloud: add support for dmi variable expansion for seedfrom URL</li>
<li>tools: read-version drop extra call to git describe --long</li>
<li>doc: improve cc_write_files doc</li>
<li>read-version: When insufficient tags, use cloudinit.version.get_version</li>
<li>mounts: document weird prefix in schema </li>
<li>Ensure network ready before cloud-init service runs on RHEL</li>
<li>docs: add copy button to code blocks </li>
<li>netplan: define features.NETPLAN_CONFIG_ROOT_READ_ONLY flag</li>
<li>azure: fix support for systems without az command installed </li>
<li>Fix the distro.osfamily output problem in the openEuler system. </li>
<li>pycloudlib: bump commit dropping azure api smoke test</li>
<li>net: netplan config root read-only as wifi config can contain creds</li>
<li>autoinstall: clarify docs for users</li>
<li>sources/azure: encode health report as utf-8 </li>
<li>Add back gateway4/6 deprecation to docs </li>
<li>networkd: Add support for multiple [Route] sections </li>
<li>doc: add qemu tutorial </li>
<li>lint: fix tip-flake8 and tip-mypy </li>
<li>Add support for setting uid when creating users on FreeBSD </li>
<li>Fix exception in BSD networking code-path </li>
<li>Append derivatives to is_rhel list in cloud.cfg.tmpl </li>
<li>FreeBSD init: use cloudinit_enable as only rcvar </li>
<li>feat: add support aliyun metadata security harden mode </li>
<li>docs: uprate analyze to performance page</li>
<li>test: fix lxd preseed managed network config </li>
<li>Add support for static IPv6 addresses for FreeBSD </li>
<li>Make 3.12 failures not fail the build </li>
<li>Docs: adding relative links </li>
<li>Fix setup.py to align with PEP 440 versioning replacing trailing</li>
<li>Add "nkukard" as contributor </li>
<li>doc: add how to render new module doc </li>
<li>doc: improve module creation explanation </li>
<li>Add Support for IPv6 metadata to OpenStack </li>
<li>add xiaoge1001 to .github-cla-signers</li>
<li>network: Deprecate gateway{4,6} keys in network config v2</li>
<li>VMware: Move Guest Customization transport from OVF to VMware</li>
<li>doc: home page links added</li>
<li>net: skip duplicate mac check for netvsc nic and its VF</li>
</ul>
<p>This update for python-responses fixes the following issues:</p>
<ul>
<li>update to 0.21.0:</li>
<li>Add <code>threading.Lock()</code> to allow <code>responses</code> working with <code>threading</code> module.</li>
<li>Add <code>urllib3</code> <code>Retry</code> mechanism. See #135</li>
<li>Removed internal <code>_cookies_from_headers</code> function</li>
<li>Now <code>add</code>, <code>upsert</code>, <code>replace</code> methods return registered response.
<code>remove</code> method returns list of removed responses.</li>
<li>Added null value support in <code>urlencoded_params_matcher</code> via <code>allow_blank</code> keyword argument</li>
<li>Added strict version of decorator. Now you can apply <code>@responses.activate(assert_all_requests_are_fired=True)</code>
to your function to validate that all requests were executed in the wrapped function. See #183</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE Important update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.4
<br/>
<code>zypper in -t patch openSUSE-SLE-15.4-2023-2628=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2023-2628=1</code>
</li>
<li class="list-group-item">
Public Cloud Module 15-SP1
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2023-2628=1</code>
</li>
<li class="list-group-item">
Public Cloud Module 15-SP2
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2023-2628=1</code>
</li>
<li class="list-group-item">
Public Cloud Module 15-SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2023-2628=1</code>
</li>
<li class="list-group-item">
Public Cloud Module 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2023-2628=1</code>
</li>
<li class="list-group-item">
Public Cloud Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2023-2628=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cloud-init-doc-23.1-150100.8.63.5</li>
<li>cloud-init-23.1-150100.8.63.5</li>
<li>cloud-init-config-suse-23.1-150100.8.63.5</li>
</ul>
</li>
<li>
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cloud-init-doc-23.1-150100.8.63.5</li>
<li>cloud-init-23.1-150100.8.63.5</li>
<li>cloud-init-config-suse-23.1-150100.8.63.5</li>
</ul>
</li>
<li>
Public Cloud Module 15-SP1 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cloud-init-23.1-150100.8.63.5</li>
<li>cloud-init-config-suse-23.1-150100.8.63.5</li>
</ul>
</li>
<li>
Public Cloud Module 15-SP2 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cloud-init-23.1-150100.8.63.5</li>
<li>cloud-init-config-suse-23.1-150100.8.63.5</li>
</ul>
</li>
<li>
Public Cloud Module 15-SP3 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cloud-init-23.1-150100.8.63.5</li>
<li>cloud-init-config-suse-23.1-150100.8.63.5</li>
</ul>
</li>
<li>
Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cloud-init-23.1-150100.8.63.5</li>
<li>cloud-init-config-suse-23.1-150100.8.63.5</li>
</ul>
</li>
<li>
Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cloud-init-23.1-150100.8.63.5</li>
<li>cloud-init-config-suse-23.1-150100.8.63.5</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2022-2084.html">https://www.suse.com/security/cve/CVE-2022-2084.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-1786.html">https://www.suse.com/security/cve/CVE-2023-1786.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1171511">https://bugzilla.suse.com/show_bug.cgi?id=1171511</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1203393">https://bugzilla.suse.com/show_bug.cgi?id=1203393</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1210277">https://bugzilla.suse.com/show_bug.cgi?id=1210277</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1210652">https://bugzilla.suse.com/show_bug.cgi?id=1210652</a>
</li>
</ul>
</div>