Описание
Security update for cloud-init
This update for cloud-init fixes the following security issues:
- CVE-2020-8631: Replaced the theoretically predictable deterministic RNG with the system RNG (bsc#1162937).
- CVE-2020-8632: Increased the default random password length from 9 to 20 (bsc#1162936).
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Список пакетов
openSUSE Leap 15.1
cloud-init-19.4-lp151.2.15.1
cloud-init-config-suse-19.4-lp151.2.15.1
cloud-init-doc-19.4-lp151.2.15.1
Ссылки
- E-Mail link for openSUSE-SU-2020:0400-1
- SUSE Security Ratings
- SUSE Bug 1162936
- SUSE Bug 1162937
- SUSE Bug 1163178
- SUSE CVE CVE-2020-8631 page
- SUSE CVE CVE-2020-8632 page
Описание
cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.
Затронутые продукты
openSUSE Leap 15.1:cloud-init-19.4-lp151.2.15.1
openSUSE Leap 15.1:cloud-init-config-suse-19.4-lp151.2.15.1
openSUSE Leap 15.1:cloud-init-doc-19.4-lp151.2.15.1
Ссылки
- CVE-2020-8631
- SUSE Bug 1162937
Описание
In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords.
Затронутые продукты
openSUSE Leap 15.1:cloud-init-19.4-lp151.2.15.1
openSUSE Leap 15.1:cloud-init-config-suse-19.4-lp151.2.15.1
openSUSE Leap 15.1:cloud-init-doc-19.4-lp151.2.15.1
Ссылки
- CVE-2020-8632
- SUSE Bug 1162936