Описание
Security update for cloud-init
This update for cloud-init fixes the following security issues:
- CVE-2020-8631: Replaced the theoretically predictable deterministic RNG with the system RNG (bsc#1162937).
- CVE-2020-8632: Increased the default random password length from 9 to 20 (bsc#1162936).
Список пакетов
SUSE Linux Enterprise Module for Public Cloud 15
cloud-init-19.4-5.24.1
cloud-init-config-suse-19.4-5.24.1
Ссылки
- Link for SUSE-SU-2020:0585-1
- E-Mail link for SUSE-SU-2020:0585-1
- SUSE Security Ratings
- SUSE Bug 1162936
- SUSE Bug 1162937
- SUSE Bug 1163178
- SUSE CVE CVE-2020-8631 page
- SUSE CVE CVE-2020-8632 page
Описание
cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.
Затронутые продукты
SUSE Linux Enterprise Module for Public Cloud 15:cloud-init-19.4-5.24.1
SUSE Linux Enterprise Module for Public Cloud 15:cloud-init-config-suse-19.4-5.24.1
Ссылки
- CVE-2020-8631
- SUSE Bug 1162937
Описание
In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords.
Затронутые продукты
SUSE Linux Enterprise Module for Public Cloud 15:cloud-init-19.4-5.24.1
SUSE Linux Enterprise Module for Public Cloud 15:cloud-init-config-suse-19.4-5.24.1
Ссылки
- CVE-2020-8632
- SUSE Bug 1162936