diff options
author | James Falcon <james.falcon@canonical.com> | 2023-04-24 17:43:40 -0500 |
---|---|---|
committer | Chad Smith <chad.smith@canonical.com> | 2023-04-25 08:52:06 -0600 |
commit | bfb1eeec043f3ebf4bcdc34e5a37168a29338504 (patch) | |
tree | ae2d8499dec5a46f4574c6901a9c5b1b4dd1195d | |
parent | a9201128e4f8c34c54a906e5548f15ad373da163 (diff) | |
download | cloud-init-git-bfb1eeec043f3ebf4bcdc34e5a37168a29338504.tar.gz |
update changelog
-rw-r--r-- | debian/changelog | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index eabd8813..7f5ed958 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,28 @@ +cloud-init (21.1-19-gbad84ad4-0ubuntu1~16.04.3) UNRELEASED; urgency=medium + + * SECURITY UPDATE: Make user/vendor data sensitive and remove log permissions + Because user data and vendor data may contain sensitive information, + this commit ensures that any user data or vendor data written to + instance-data.json gets redacted and is only available to root user. + + Also, modify the permissions of cloud-init.log to be 640, so that + sensitive data leaked to the log isn't world readable. + Additionally, remove the logging of user data and vendor data to + cloud-init.log from the Vultr datasource. + + This is a backport based on security release of 23.1.2 [(LP: #2013967)] + + - d/cloud-init.postinst: postinst fixes for LP: #2013967 + Redact sensitive keys from world-readable instance-data.json on upgrade. + Set perms 640 for /var/log/cloud-init.log on pkg upgrade. + - d/patches/backport-redact-sensitive-json-keys-cloud-init-log-640.patch + Backport of runtime changes to redact nested sensitive keys from + /run/cloud-init/instance-data.json and set /var/log/cloud-init.log + permissions to 640. + - (CVE-2023-1786) + + -- James Falcon <james.falcon@canonical.com> Thu, 06 Apr 2023 14:09:32 -0500 + cloud-init (21.1-19-gbad84ad4-0ubuntu1~16.04.2) xenial; urgency=medium * cherry-pick 83f6bbfb: Fix unpickle for source paths missing run_dir |