Debian 10261 Published by

A cloud-int security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where raw, unhashed password are accessible in a world-readable local file.



ELA-448-1 cloud-int security update

Package cloud-int
Version 0.7.6~bzr976-2+deb8u3
Related CVEs CVE-2021-3429

cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data such as:

chpasswd: list: | user1:RANDOM

When used this way, cloud-init logs the raw, unhashed password to a world-readable local file.

For Debian 8 jessie, these problems have been fixed in version 0.7.6~bzr976-2+deb8u3.

We recommend that you upgrade your cloud-int packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-448-1 cloud-int security update