Date: Tue, 19 Jan 2021 20:47:00 +0000 (UTC) From: Joseph Mingrone <jrm@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r562084 - head/security/vuxml Message-ID: <202101192047.10JKl0sN079357@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jrm Date: Tue Jan 19 20:47:00 2021 New Revision: 562084 URL: https://svnweb.freebsd.org/changeset/ports/562084 Log: security/vuxml: Document vulnerability in cloud-init version 20.4 https://bugs.launchpad.net/cloud-init/+bug/1911680 Reported by: Mina Galić <me@igalic.co> Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Jan 19 20:46:59 2021 (r562083) +++ head/security/vuxml/vuln.xml Tue Jan 19 20:47:00 2021 (r562084) @@ -58,6 +58,43 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="8899298f-5a92-11eb-8558-3085a9a47796"> + <topic>cloud-init -- Wrong access permissions of authorized keys</topic> + <affects> + <package> + <name>cloud-init</name> + <range><ge>20.4</ge></range> + <range><lt>20.4.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>cloud-init reports:</p> + <blockquote cite="https://bugs.launchpad.net/cloud-init/+bug/1911680">; + <p>cloud-init release 20.4.1 is now available. This is a hotfix + release, that contains a single patch to address a security issue in + cloud-init 20.4.</p> + + <p>Briefly, for users who provide more than one unique SSH key to + cloud-init and have a shared AuthorizedKeysFile configured in + sshd_config, cloud-init 20.4 started writing all of these keys to such a + file, granting all such keys SSH access as root.</p> + + <p>It's worth restating this implication: if you are using the default + AuthorizedKeysFile setting in /etc/ssh/sshd_config, as most will be, + then you are _not_ affected by this issue.</p> + </blockquote> + </body> + </description> + <references> + <url>https://bugs.launchpad.net/cloud-init/+bug/1911680</url>; + </references> + <dates> + <discovery>2021-01-14</discovery> + <entry>2021-01-19</entry> + </dates> + </vuln> + <vuln vid="abed4ff0-7da1-4236-880d-de33e4895315"> <topic>moinmoin -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101192047.10JKl0sN079357>