diff options
| author | James Falcon <james.falcon@canonical.com> | 2023-04-21 14:44:22 -0500 |
|---|---|---|
| committer | James Falcon <james.falcon@canonical.com> | 2023-04-21 14:44:22 -0500 |
| commit | d833d90335129012f235aa7d297b968d12492fb8 (patch) | |
| tree | 76d329aef31a19a6a44dbaa33476400c64e7e4a0 | |
| parent | 2179ee11597b5490628b47e8aea1172c2a62fc09 (diff) | |
| download | cloud-init-git-d833d90335129012f235aa7d297b968d12492fb8.tar.gz | |
update changelog
| -rw-r--r-- | debian/changelog | 22 | ||||
| -rw-r--r-- | debian/cloud-init.postinst | 2 |
2 files changed, 20 insertions, 4 deletions
diff --git a/debian/changelog b/debian/changelog index fc9776a5..5f04200c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,24 @@ -cloud-init (23.1.1-0ubuntu0~18.04.2) UNRELEASED; urgency=medium +cloud-init (23.1.2-0ubuntu0~18.04.1) UNRELEASED; urgency=medium - * Upstream snapshot based on upstream/main at 34637a49. + * SECURITY UPDATE: Make user/vendor data sensitive and remove log permissions + Because user data and vendor data may contain sensitive information, + this commit ensures that any user data or vendor data written to + instance-data.json gets redacted and is only available to root user. - -- James Falcon <james.falcon@canonical.com> Fri, 21 Apr 2023 14:41:53 -0500 + Also, modify the permissions of cloud-init.log to be 640, so that + sensitive data leaked to the log isn't world readable. + Additionally, remove the logging of user data and vendor data to + cloud-init.log from the Vultr datasource. + + This is based on upstream snapshot of 23.1.2 [(LP: #2013967)] + + - d/cloud-init.postinst: postinst fixes for LP: #2013967 + Redact sensitive keys from world-readable instance-data.json on upgrade. + Set perms 640 for /var/log/cloud-init.log on pkg upgrade. + Redact sensitive Vultr messages from /var/log/cloud-init.log + - (CVE-2023-1786) + + -- James Falcon <james.falcon@canonical.com> Thu, 06 Apr 2023 14:09:32 -0500 cloud-init (23.1.1-0ubuntu0~18.04.1) bionic; urgency=medium diff --git a/debian/cloud-init.postinst b/debian/cloud-init.postinst index e8c8bef2..07408cc5 100644 --- a/debian/cloud-init.postinst +++ b/debian/cloud-init.postinst @@ -371,7 +371,7 @@ change_cloud_init_output_log_permissions() { fix_lp2013967() { # Ensure sensitive user data and vendor data gets redacted from instance-data.json - local oldver="$1" last_bad_ver="23.1.1-0ubuntu0~22.04.1" + local oldver="$1" last_bad_ver="23.1.1-0ubuntu0~18.04.1" dpkg --compare-versions "$oldver" le-nl "$last_bad_ver" || return 0 if ! python3 -c ' |