yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1781094] Re: cloud.cfg.tmpl should not include "ssh_deletekeys: 0"

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Scott Moser <ssmoser2+ubuntu@xxxxxxxxx>
Date: Tue, 02 Oct 2018 21:13:28 -0000
Reply-to: Bug 1781094 <1781094@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug is believed to be fixed in cloud-init in version 18.4. If this
is still a problem for you, please make a comment and set the state back
to New

Thank you.

** Changed in: cloud-init
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1781094

Title:
  cloud.cfg.tmpl should not include "ssh_deletekeys: 0"

Status in cloud-init:
  Fix Released

Bug description:
  It seems that cloud-init inherited from Fedora the inclusion of
  "ssh_deletekeys: 0" in cloud.cfg.tmpl (commit 41d46bfb85).  This is
  risky in orchestration environments where an instance might be used as
  a master or template, and cloned from without other tools removing SSH
  host keys.  We believe that line should be removed from cloud.cfg.tmpl
  to reduce the risk of it being used in such environments.

  CVE-2018-10896 has been assigned [1].  On the Fedora bug [2] we are
  looking into history.

  1: https://access.redhat.com/security/cve/cve-2018-10896
  2: https://bugzilla.redhat.com/show_bug.cgi?id=1598832

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1781094/+subscriptions

References

[Bug 1781094] [NEW] cloud.cfg.tmp should not include "ssh_deletekeys: 0"
From: Doran Moppert, 2018-07-11