cloud-init-23.1-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13053 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z cloud-init-23.1-2.1 on GA media These are all security issues fixed in the cloud-init-23.1-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13053 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13053 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-3429/ SUSE CVE CVE-2021-3429 page https://www.suse.com/security/cve/CVE-2023-1786/ SUSE CVE CVE-2023-1786 page openSUSE Tumbleweed cloud-init-23.1-2.1 cloud-init-config-suse-23.1-2.1 cloud-init-doc-23.1-2.1 cloud-init-23.1-2.1 as a component of openSUSE Tumbleweed cloud-init-config-suse-23.1-2.1 as a component of openSUSE Tumbleweed cloud-init-doc-23.1-2.1 as a component of openSUSE Tumbleweed When instructing cloud-init to set a random password for a new user account, versions before 21.2 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user. CVE-2021-3429 openSUSE Tumbleweed:cloud-init-23.1-2.1 openSUSE Tumbleweed:cloud-init-config-suse-23.1-2.1 openSUSE Tumbleweed:cloud-init-doc-23.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3429.html CVE-2021-3429 https://bugzilla.suse.com/1184758 SUSE Bug 1184758 Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. CVE-2023-1786 openSUSE Tumbleweed:cloud-init-23.1-2.1 openSUSE Tumbleweed:cloud-init-config-suse-23.1-2.1 openSUSE Tumbleweed:cloud-init-doc-23.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-1786.html CVE-2023-1786 https://bugzilla.suse.com/1210277 SUSE Bug 1210277