Security update for cloud-init

Announcement ID: SUSE-SU-2023:2628-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2022-2084 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2023-1786 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2023-1786 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products:
  • openSUSE Leap 15.4
  • openSUSE Leap 15.5
  • Public Cloud Module 15-SP2
  • Public Cloud Module 15-SP1
  • Public Cloud Module 15-SP3
  • Public Cloud Module 15-SP4
  • Public Cloud Module 15-SP5
  • SUSE Linux Enterprise High Performance Computing 15 SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP2
  • SUSE Linux Enterprise High Performance Computing 15 SP3
  • SUSE Linux Enterprise High Performance Computing 15 SP4
  • SUSE Linux Enterprise High Performance Computing 15 SP5
  • SUSE Linux Enterprise Server 15 SP1
  • SUSE Linux Enterprise Server 15 SP2
  • SUSE Linux Enterprise Server 15 SP3
  • SUSE Linux Enterprise Server 15 SP4
  • SUSE Linux Enterprise Server 15 SP5
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4
  • SUSE Linux Enterprise Server for SAP Applications 15 SP5
  • SUSE Manager Proxy 4.0
  • SUSE Manager Proxy 4.1
  • SUSE Manager Proxy 4.2
  • SUSE Manager Proxy 4.3
  • SUSE Manager Retail Branch Server 4.0
  • SUSE Manager Retail Branch Server 4.1
  • SUSE Manager Retail Branch Server 4.2
  • SUSE Manager Retail Branch Server 4.3
  • SUSE Manager Server 4.0
  • SUSE Manager Server 4.1
  • SUSE Manager Server 4.2
  • SUSE Manager Server 4.3

An update that solves two vulnerabilities and has two security fixes can now be installed.

Description:

This update for cloud-init fixes the following issues:

  • CVE-2023-1786: Do not expose sensitive data gathered from the CSP. (bsc#1210277)

  • CVE-2022-2084: Fixed a bug which caused logging schema failures can include password hashes. (bsc#1210652)

  • Update to version 23.1

  • Support transactional-updates for SUSE based distros

  • Set ownership for new folders in Write Files Module
  • add OpenCloudOS and TencentOS support
  • lxd: Retry if the server isn't ready
  • test: switch pycloudlib source to pypi
  • test: Fix integration test deprecation message
  • Recognize opensuse-microos, dev tooling fixes
  • sources/azure: refactor imds handler into own module
  • docs: deprecation generation support
  • add function is_virtual to distro/FreeBSD
  • cc_ssh: support multiple hostcertificates
  • Fix minor schema validation regression and fixup typing
  • doc: Reword user data debug section
  • cli: schema also validate vendordata*.
  • ci: sort and add checks for cla signers file
  • Add "ederst" as contributor
  • readme: add reference to packages dir
  • docs: update downstream package list
  • docs: add google search verification
  • docs: fix 404 render use default notfound_urls_prefix in RTD conf
  • Fix OpenStack datasource detection on bare metal
  • docs: add themed RTD 404 page and pointer to readthedocs-hosted
  • schema: fix gpt labels, use type string for GUID
  • cc_disk_setup: code cleanup
  • netplan: keep custom strict perms when 50-cloud-init.yaml exists
  • cloud-id: better handling of change in datasource files
  • Warn on empty network key
  • Fix Vultr cloud_interfaces usage
  • cc_puppet: Update puppet service name
  • docs: Clarify networking docs
  • lint: remove httpretty
  • cc_set_passwords: Prevent traceback when restarting ssh
  • tests: fix lp1912844
  • tests: Skip ansible test on bionic
  • Wait for NetworkManager
  • docs: minor polishing
  • CI: migrate integration-test to GH actions
  • Fix permission of SSH host keys
  • Fix default route rendering on v2 ipv6
  • doc: fix path in net_convert command
  • docs: update net_convert docs
  • doc: fix dead link
  • cc_set_hostname: ignore /var/lib/cloud/data/set-hostname if it's empty
  • distros/rhel.py: _read_hostname() missing strip on "hostname"
  • integration tests: add IBM VPC support
  • machine-id: set to uninitialized to trigger regeneration on clones
  • sources/azure: retry on connection error when fetching metdata
  • Ensure ssh state accurately obtained
  • bddeb: drop dh-systemd dependency on newer deb-based releases
  • doc: fix config formats link in cloudsigma.rst
  • Fix wrong subp syntax in cc_set_passwords.py
  • docs: update the PR template link to readthedocs
  • ci: switch unittests to gh actions
  • Add mount_default_fields for PhotonOS.
  • sources/azure: minor refactor for metadata source detection logic
  • add "CalvoM" as contributor
  • ci: doc to gh actions
  • lxd: handle 404 from missing devices route for LXD 4.0
  • docs: Diataxis overhaul
  • vultr: Fix issue regarding cache and region codes
  • cc_set_passwords: Move ssh status checking later
  • Improve Wireguard module idempotency
  • network/netplan: add gateways as on-link when necessary
  • tests: test_lxd assert features.networks.zones when present
  • Use btrfs enquque when available (#1926) [Robert Schweikert]
  • sources/azure: fix device driver matching for net config (#1914)
  • BSD: fix duplicate macs in Ifconfig parser
  • pycloudlib: add lunar support for integration tests
  • nocloud: add support for dmi variable expansion for seedfrom URL
  • tools: read-version drop extra call to git describe --long
  • doc: improve cc_write_files doc
  • read-version: When insufficient tags, use cloudinit.version.get_version
  • mounts: document weird prefix in schema
  • Ensure network ready before cloud-init service runs on RHEL
  • docs: add copy button to code blocks
  • netplan: define features.NETPLAN_CONFIG_ROOT_READ_ONLY flag
  • azure: fix support for systems without az command installed
  • Fix the distro.osfamily output problem in the openEuler system.
  • pycloudlib: bump commit dropping azure api smoke test
  • net: netplan config root read-only as wifi config can contain creds
  • autoinstall: clarify docs for users
  • sources/azure: encode health report as utf-8
  • Add back gateway4/6 deprecation to docs
  • networkd: Add support for multiple [Route] sections
  • doc: add qemu tutorial
  • lint: fix tip-flake8 and tip-mypy
  • Add support for setting uid when creating users on FreeBSD
  • Fix exception in BSD networking code-path
  • Append derivatives to is_rhel list in cloud.cfg.tmpl
  • FreeBSD init: use cloudinit_enable as only rcvar
  • feat: add support aliyun metadata security harden mode
  • docs: uprate analyze to performance page
  • test: fix lxd preseed managed network config
  • Add support for static IPv6 addresses for FreeBSD
  • Make 3.12 failures not fail the build
  • Docs: adding relative links
  • Fix setup.py to align with PEP 440 versioning replacing trailing
  • Add "nkukard" as contributor
  • doc: add how to render new module doc
  • doc: improve module creation explanation
  • Add Support for IPv6 metadata to OpenStack
  • add xiaoge1001 to .github-cla-signers
  • network: Deprecate gateway{4,6} keys in network config v2
  • VMware: Move Guest Customization transport from OVF to VMware
  • doc: home page links added
  • net: skip duplicate mac check for netvsc nic and its VF

This update for python-responses fixes the following issues:

  • update to 0.21.0:
  • Add threading.Lock() to allow responses working with threading module.
  • Add urllib3 Retry mechanism. See #135
  • Removed internal _cookies_from_headers function
  • Now add, upsert, replace methods return registered response. remove method returns list of removed responses.
  • Added null value support in urlencoded_params_matcher via allow_blank keyword argument
  • Added strict version of decorator. Now you can apply @responses.activate(assert_all_requests_are_fired=True) to your function to validate that all requests were executed in the wrapped function. See #183

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4
    zypper in -t patch openSUSE-SLE-15.4-2023-2628=1
  • openSUSE Leap 15.5
    zypper in -t patch openSUSE-SLE-15.5-2023-2628=1
  • Public Cloud Module 15-SP1
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2023-2628=1
  • Public Cloud Module 15-SP2
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2023-2628=1
  • Public Cloud Module 15-SP3
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2023-2628=1
  • Public Cloud Module 15-SP4
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2023-2628=1
  • Public Cloud Module 15-SP5
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2023-2628=1

Package List:

  • openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
    • cloud-init-config-suse-23.1-150100.8.63.5
    • cloud-init-doc-23.1-150100.8.63.5
    • cloud-init-23.1-150100.8.63.5
  • openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    • cloud-init-config-suse-23.1-150100.8.63.5
    • cloud-init-doc-23.1-150100.8.63.5
    • cloud-init-23.1-150100.8.63.5
  • Public Cloud Module 15-SP1 (aarch64 ppc64le s390x x86_64)
    • cloud-init-config-suse-23.1-150100.8.63.5
    • cloud-init-23.1-150100.8.63.5
  • Public Cloud Module 15-SP2 (aarch64 ppc64le s390x x86_64)
    • cloud-init-config-suse-23.1-150100.8.63.5
    • cloud-init-23.1-150100.8.63.5
  • Public Cloud Module 15-SP3 (aarch64 ppc64le s390x x86_64)
    • cloud-init-config-suse-23.1-150100.8.63.5
    • cloud-init-23.1-150100.8.63.5
  • Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64)
    • cloud-init-config-suse-23.1-150100.8.63.5
    • cloud-init-23.1-150100.8.63.5
  • Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    • cloud-init-config-suse-23.1-150100.8.63.5
    • cloud-init-23.1-150100.8.63.5

References: