From 4f11306fcd11ff2c92e7789e8ca2d486bc8099a2 Mon Sep 17 00:00:00 2001 From: Joseph Mingrone Date: Tue, 19 Jan 2021 20:47:00 +0000 Subject: [PATCH] security/vuxml: Document vulnerability in cloud-init version 20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://bugs.launchpad.net/cloud-init/+bug/1911680 Reported by: Mina Galić --- security/vuxml/vuln.xml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index dfda9aa3f9d6..c8646c87fbef 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,43 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + cloud-init -- Wrong access permissions of authorized keys + + + cloud-init + 20.4 + 20.4.1 + + + + +

cloud-init reports:

+
+

cloud-init release 20.4.1 is now available. This is a hotfix + release, that contains a single patch to address a security issue in + cloud-init 20.4.

+ +

Briefly, for users who provide more than one unique SSH key to + cloud-init and have a shared AuthorizedKeysFile configured in + sshd_config, cloud-init 20.4 started writing all of these keys to such a + file, granting all such keys SSH access as root.

+ +

It's worth restating this implication: if you are using the default + AuthorizedKeysFile setting in /etc/ssh/sshd_config, as most will be, + then you are _not_ affected by this issue.

+
+ + + + https://bugs.launchpad.net/cloud-init/+bug/1911680 + + + 2021-01-14 + 2021-01-19 + + + moinmoin -- multiple vulnerabilities