yahoo-eng-team team mailing list archive

[Doran Moppert <1781094@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

It seems that cloud-init inherited from Fedora the inclusion of
"ssh_deletekeys: 0" in cloud.cfg.tmpl (commit 41d46bfb85).  This is
risky in orchestration environments where an instance might be used as a
master or template, and cloned from without other tools removing SSH
host keys.  We believe that line should be removed from cloud.cfg.tmpl
to reduce the risk of it being used in such environments.

CVE-2018-10896 has been assigned [1].  On the Fedora bug [2] we are
looking into history.

1: https://access.redhat.com/security/cve/cve-2018-10896
2: https://bugzilla.redhat.com/show_bug.cgi?id=1598832

** Affects: cloud-init
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1781094

Title:
  cloud.cfg.tmp should not include "ssh_deletekeys: 0"

Status in cloud-init:
  New

Bug description:
  It seems that cloud-init inherited from Fedora the inclusion of
  "ssh_deletekeys: 0" in cloud.cfg.tmpl (commit 41d46bfb85).  This is
  risky in orchestration environments where an instance might be used as
  a master or template, and cloned from without other tools removing SSH
  host keys.  We believe that line should be removed from cloud.cfg.tmpl
  to reduce the risk of it being used in such environments.

  CVE-2018-10896 has been assigned [1].  On the Fedora bug [2] we are
  looking into history.

  1: https://access.redhat.com/security/cve/cve-2018-10896
  2: https://bugzilla.redhat.com/show_bug.cgi?id=1598832

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1781094/+subscriptions