ELA-448-1 cloud-int security update

logging raw passwords

2021-06-28
Packagecloud-int
Version0.7.6~bzr976-2+deb8u3
Related CVEs CVE-2021-3429

cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data such as:

chpasswd: list: | user1:RANDOM

When used this way, cloud-init logs the raw, unhashed password to a world-readable local file.

For Debian 8 jessie, these problems have been fixed in version 0.7.6~bzr976-2+deb8u3.

We recommend that you upgrade your cloud-int packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/