There is 1 open security issue in bookworm.
1 issue left for the package maintainer to handle:
- CVE-2023-1786:
(needs triaging)
Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
You can find information about how to handle this issue in the security team's documentation.
2 issues that should be fixed with the next stable update:
- CVE-2024-6174:
When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.
- CVE-2024-11584:
cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/c/cloud-init.png){kind=link}