Source: cloud-init Version: 25.1.1-1 Severity: important Tags: security upstream Forwarded: https://github.com/canonical/cloud-init/pull/6265 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for cloud-init. CVE-2024-11584[0]: | cloud-init through 25.1.2 includes the systemd socket unit cloud- | init-hotplugd.socket with default SocketMode that grants 0666 | permissions, making it world-writable. This is used for the | "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could | trigger hotplug-hook commands. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-11584 https://www.cve.org/CVERecord?id=CVE-2024-11584 [1] https://github.com/canonical/cloud-init/pull/6265 [2] https://github.com/canonical/cloud-init/commit/4839736429e9057a309ccd835cb3159fb51b1353 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
