Bug 1129124 - (CVE-2019-0816) VUL-0: CVE-2019-0816: cloud-init: extra ssh keys added to authorized_keys
(CVE-2019-0816)
VUL-0: CVE-2019-0816: cloud-init: extra ssh keys added to authorized_keys
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Robert Schweikert
Security Team bot
https://smash.suse.de/issue/226054/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-13 19:30 UTC by Marcus Meissner
Modified: 2020-05-05 19:19 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-03-13 19:30:22 UTC
rh#1680165

A vulnerability was found in cloud-init. The entire list of certificates and public keys exposed from the wireserver is added to the authorized_keys file for the user-to-be-provisioned, regardless of whether they belong to the user or not.


Upstream commit:
https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1680165
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0816
Comment 1 Robert Schweikert 2019-03-13 21:29:14 UTC
We do not yet support cloud-init for Azure, nor do we use cloud-init in our Azure images. We will have another, at least 1, by the time we get there.

DO you still want me to create a new package or can we ignore this?
Comment 2 Marcus Meissner 2019-03-14 09:10:58 UTC
If we are not using the affected code path, I will declare us as not affected.

Please mention the CVE and bug in future submissions, but currently no action is rewquired.
Comment 3 Robert Schweikert 2019-09-26 16:22:59 UTC
Fix is in 19.1 which has been released. Missing notification in changelog to follow with submission for bsc#1099358
Comment 6 Swamp Workflow Management 2019-11-28 20:12:16 UTC
SUSE-SU-2019:3097-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1099358,1129124,1136440,1142988,1144363,1151488,1154092
CVE References: CVE-2019-0816
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    cloud-init-19.2-5.18.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    cloud-init-19.2-5.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-11-28 20:18:56 UTC
SUSE-SU-2019:3096-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1099358,1129124,1136440,1142988,1144363,1151488,1154092
CVE References: CVE-2019-0816
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src):    cloud-init-19.2-8.11.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    cloud-init-19.2-8.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-12-04 05:11:17 UTC
openSUSE-SU-2019:2633-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1099358,1129124,1136440,1142988,1144363,1151488,1154092
CVE References: CVE-2019-0816
Sources used:
openSUSE Leap 15.1 (src):    cloud-init-19.2-lp151.2.9.1
Comment 9 Swamp Workflow Management 2019-12-05 20:12:10 UTC
SUSE-SU-2019:3191-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1099358,1129124,1136440,1142988,1144363,1151488,1154092
CVE References: CVE-2019-0816
Sources used:
SUSE Linux Enterprise Module for Public Cloud 12 (src):    cloud-init-19.2-37.33.1
SUSE CaaS Platform 3.0 (src):    cloud-init-19.2-37.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.