Bugzilla – Bug 1129124
VUL-0: CVE-2019-0816: cloud-init: extra ssh keys added to authorized_keys
Last modified: 2020-05-05 19:19:04 UTC
rh#1680165 A vulnerability was found in cloud-init. The entire list of certificates and public keys exposed from the wireserver is added to the authorized_keys file for the user-to-be-provisioned, regardless of whether they belong to the user or not. Upstream commit: https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445 References: https://bugzilla.redhat.com/show_bug.cgi?id=1680165 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0816
We do not yet support cloud-init for Azure, nor do we use cloud-init in our Azure images. We will have another, at least 1, by the time we get there. DO you still want me to create a new package or can we ignore this?
If we are not using the affected code path, I will declare us as not affected. Please mention the CVE and bug in future submissions, but currently no action is rewquired.
Fix is in 19.1 which has been released. Missing notification in changelog to follow with submission for bsc#1099358
SUSE-SU-2019:3097-1: An update that solves one vulnerability and has 6 fixes is now available. Category: security (moderate) Bug References: 1099358,1129124,1136440,1142988,1144363,1151488,1154092 CVE References: CVE-2019-0816 Sources used: SUSE Linux Enterprise Module for Public Cloud 15 (src): cloud-init-19.2-5.18.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): cloud-init-19.2-5.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:3096-1: An update that solves one vulnerability and has 6 fixes is now available. Category: security (moderate) Bug References: 1099358,1129124,1136440,1142988,1144363,1151488,1154092 CVE References: CVE-2019-0816 Sources used: SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src): cloud-init-19.2-8.11.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): cloud-init-19.2-8.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2633-1: An update that solves one vulnerability and has 6 fixes is now available. Category: security (moderate) Bug References: 1099358,1129124,1136440,1142988,1144363,1151488,1154092 CVE References: CVE-2019-0816 Sources used: openSUSE Leap 15.1 (src): cloud-init-19.2-lp151.2.9.1
SUSE-SU-2019:3191-1: An update that solves one vulnerability and has 6 fixes is now available. Category: security (moderate) Bug References: 1099358,1129124,1136440,1142988,1144363,1151488,1154092 CVE References: CVE-2019-0816 Sources used: SUSE Linux Enterprise Module for Public Cloud 12 (src): cloud-init-19.2-37.33.1 SUSE CaaS Platform 3.0 (src): cloud-init-19.2-37.33.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.