A cloud-int security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where raw, unhashed password are accessible in a world-readable local file.
ELA-448-1 cloud-int security update
Package cloud-int
ELA-448-1 cloud-int security update
Version 0.7.6~bzr976-2+deb8u3
Related CVEs CVE-2021-3429
cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data such as:
chpasswd: list: | user1:RANDOM
When used this way, cloud-init logs the raw, unhashed password to a world-readable local file.
For Debian 8 jessie, these problems have been fixed in version 0.7.6~bzr976-2+deb8u3.
We recommend that you upgrade your cloud-int packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
