Security update for cloud-init

Announcement ID:	SUSE-SU-2019:3097-1
Rating:	moderate
References:	bsc#1099358 bsc#1129124 bsc#1136440 bsc#1142988 bsc#1144363 bsc#1151488 bsc#1154092
Cross-References:	CVE-2019-0816
CVSS scores:	CVE-2019-0816 ( NVD ): 5.1 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:	Public Cloud Module 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves one vulnerability and has six security fixes can now be installed.

Description:

This update for cloud-init to version 19.2 fixes the following issues:

Security issue fixed:

• CVE-2019-0816: Fixed the unnecessary extra ssh keys that were added to authorized_keys (bsc#1129124).

Non-security issues fixed:

• Short circuit the conditional for identifying the sysconfig renderer (bsc#1154092, bsc#1142988).
• If /etc/resolv.conf is a symlink, break it. This will avoid netconfig from clobbering the changes cloud-init applied (bsc#1151488).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Public Cloud Module 15
  zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2019-3097=1

Package List:

• Public Cloud Module 15 (aarch64 ppc64le s390x x86_64)
  • cloud-init-19.2-5.18.1
  • cloud-init-config-suse-19.2-5.18.1

References:

• https://www.suse.com/security/cve/CVE-2019-0816.html
• https://bugzilla.suse.com/show_bug.cgi?id=1099358
• https://bugzilla.suse.com/show_bug.cgi?id=1129124
• https://bugzilla.suse.com/show_bug.cgi?id=1136440
• https://bugzilla.suse.com/show_bug.cgi?id=1142988
• https://bugzilla.suse.com/show_bug.cgi?id=1144363
• https://bugzilla.suse.com/show_bug.cgi?id=1151488
• https://bugzilla.suse.com/show_bug.cgi?id=1154092