On 3/30/19 8:10 PM, Moritz Muehlenhoff wrote: > Package: cloud-init > Severity: grave > Tags: security > > This was assigned CVE-2019-0816: > https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445 > https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm > > Is this something that affects cloud-init as shipped in Debian or in the way > we generate Debian > images for Azure? > > Cheers, > Moritz
Hi Moritz, If I understand well the problem, the issue is simply that some extra Microsoft keys may end up being setup into an Azure Debian instance. I don't see this as a very "grave" security issue because: 1/ Azure users must trust Azure anyways, otherwise, they should just stop doing hosting there. 2/ It only affects Azure users. I'm not even sure that our image is really using cloud-init to do the ssh key provisioning, if I'm not mistaking, it's using the Azure agent to do that (can Bastian confirm this?). In any case, can we downgrade this bug to "important"? Or am I missing something here? Cheers, Thomas Goirand (zigo)
