diff --git a/SOURCES/ci-Enable-ssh_deletekeys-by-default.patch b/SOURCES/ci-Enable-ssh_deletekeys-by-default.patch
new file mode 100644
index 0000000..866fdb6
--- /dev/null
+++ b/SOURCES/ci-Enable-ssh_deletekeys-by-default.patch
@@ -0,0 +1,41 @@
+From 251836a62eb3061b8d26177fd5997a96dccec21b Mon Sep 17 00:00:00 2001
+From: Eduardo Otubo <otubo@redhat.com>
+Date: Thu, 28 May 2020 08:44:06 +0200
+Subject: [PATCH 3/4] Enable ssh_deletekeys by default
+
+RH-Author: Eduardo Otubo <otubo@redhat.com>
+Message-id: <20200317091705.15715-1-otubo@redhat.com>
+Patchwork-id: 94365
+O-Subject: [RHEL-7.9/RHEL-8.2.0 cloud-init PATCH] Enable ssh_deletekeys by default
+Bugzilla: 1814152
+RH-Acked-by: Mohammed Gamal <mgamal@redhat.com>
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+The configuration option ssh_deletekeys will trigger the generation
+of new ssh keys for every new instance deployed.
+
+x-downstream-only: yes
+resolves: rhbz#1814152
+
+Signed-off-by: Eduardo Otubo <otubo@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ rhel/cloud.cfg | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rhel/cloud.cfg b/rhel/cloud.cfg
+index 82e8bf6..9ecba21 100644
+--- a/rhel/cloud.cfg
++++ b/rhel/cloud.cfg
+@@ -6,7 +6,7 @@ ssh_pwauth: 0
+
+ mount_default_fields: [~, ~, 'auto', 'defaults,nofail,x-systemd.requires=cloud-init.service', '0', '2']
+ resize_rootfs_tmp: /dev
+-ssh_deletekeys: 0
++ssh_deletekeys: 1
+ ssh_genkeytypes: ~
+ syslog_fix_perms: ~
+ disable_vmware_customization: false
+--
+1.8.3.1
+
diff --git a/SOURCES/ci-Make-cloud-init.service-execute-after-network-is-up.patch b/SOURCES/ci-Make-cloud-init.service-execute-after-network-is-up.patch
new file mode 100644
index 0000000..74bb8ac
--- /dev/null
+++ b/SOURCES/ci-Make-cloud-init.service-execute-after-network-is-up.patch
@@ -0,0 +1,40 @@
+From 301b1770d3e2580c3ee168261a9a97d143cc5f59 Mon Sep 17 00:00:00 2001
+From: Eduardo Otubo <otubo@redhat.com>
+Date: Mon, 1 Jun 2020 11:58:06 +0200
+Subject: [PATCH] Make cloud-init.service execute after network is up
+
+RH-Author: Eduardo Otubo <otubo@redhat.com>
+Message-id: <20200526090804.2047-1-otubo@redhat.com>
+Patchwork-id: 96809
+O-Subject: [RHEL-8.2.1 cloud-init PATCH] Make cloud-init.service execute after network is up
+Bugzilla: 1803928
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+cloud-init.service needs to wait until network is fully up before
+continuing executing and configuring its service.
+
+Signed-off-by: Eduardo Otubo <otubo@redhat.com>
+
+x-downstream-only: yes
+Resolves: rhbz#1831646
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ rhel/systemd/cloud-init.service | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/rhel/systemd/cloud-init.service b/rhel/systemd/cloud-init.service
+index d0023a0..0b3d796 100644
+--- a/rhel/systemd/cloud-init.service
++++ b/rhel/systemd/cloud-init.service
+@@ -5,6 +5,7 @@ Wants=sshd-keygen.service
+ Wants=sshd.service
+ After=cloud-init-local.service
+ After=NetworkManager.service network.service
++After=NetworkManager-wait-online.service
+ Before=network-online.target
+ Before=sshd-keygen.service
+ Before=sshd.service
+--
+1.8.3.1
+
diff --git a/SOURCES/ci-Remove-race-condition-between-cloud-init-and-Network.patch b/SOURCES/ci-Remove-race-condition-between-cloud-init-and-Network.patch
new file mode 100644
index 0000000..d8c99fd
--- /dev/null
+++ b/SOURCES/ci-Remove-race-condition-between-cloud-init-and-Network.patch
@@ -0,0 +1,52 @@
+From 0422ba0e773d1a8257a3f2bf3db05f3bc7917eb7 Mon Sep 17 00:00:00 2001
+From: Eduardo Otubo <otubo@redhat.com>
+Date: Thu, 28 May 2020 08:44:08 +0200
+Subject: [PATCH 4/4] Remove race condition between cloud-init and
+ NetworkManager
+
+RH-Author: Eduardo Otubo <otubo@redhat.com>
+Message-id: <20200327121911.17699-1-otubo@redhat.com>
+Patchwork-id: 94453
+O-Subject: [RHEL-7.9/RHEL-8.2.0 cloud-init PATCHv2] Remove race condition between cloud-init and NetworkManager
+Bugzilla: 1840648
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Cathy Avery <cavery@redhat.com>
+
+cloud-init service is set to start before NetworkManager service starts,
+but this does not avoid a race condition between them. NetworkManager
+starts before cloud-init can write `dns=none' to the file:
+/etc/NetworkManager/conf.d/99-cloud-init.conf. This way NetworkManager
+doesn't read the configuration and erases all resolv.conf values upon
+shutdown. On the next reboot neither cloud-init or NetworkManager will
+write anything to resolv.conf, leaving it blank.
+
+This patch introduces a NM reload (try-reload-or-restart) at the end of cloud-init
+start up so it won't erase resolv.conf upon first shutdown.
+
+x-downstream-only: yes
+
+Signed-off-by: Eduardo Otubo otubo@redhat.com
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ rhel/systemd/cloud-final.service | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/rhel/systemd/cloud-final.service b/rhel/systemd/cloud-final.service
+index f303483..05add07 100644
+--- a/rhel/systemd/cloud-final.service
++++ b/rhel/systemd/cloud-final.service
+@@ -11,8 +11,8 @@ ExecStart=/usr/bin/cloud-init modules --mode=final
+ RemainAfterExit=yes
+ TimeoutSec=0
+ KillMode=process
+-ExecStartPost=/bin/echo "try restart NetworkManager.service"
+-ExecStartPost=/usr/bin/systemctl try-restart NetworkManager.service
++ExecStartPost=/bin/echo "trying to reload or restart NetworkManager.service"
++ExecStartPost=/usr/bin/systemctl try-reload-or-restart NetworkManager.service
+
+ # Output needs to appear in instance console output
+ StandardOutput=journal+console
+--
+1.8.3.1
+
diff --git a/SOURCES/ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch b/SOURCES/ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch
new file mode 100644
index 0000000..a49ca1e
--- /dev/null
+++ b/SOURCES/ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch
@@ -0,0 +1,42 @@
+From e7a0cd9aa71dfd7715eca4b393db0aa348e05f8f Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Thu, 28 May 2020 08:43:58 +0200
+Subject: [PATCH 1/4] cc_set_password: increase random pwlength from 9 to 20
+ (#189)
+
+RH-Author: jmaloy <jmaloy@redhat.com>
+Message-id: <20200313015002.3297-2-jmaloy@redhat.com>
+Patchwork-id: 94253
+O-Subject: [RHEL-8.2 cloud-init PATCH 1/1] cc_set_password: increase random pwlength from 9 to 20 (#189)
+Bugzilla: 1812171
+RH-Acked-by: Eduardo Otubo <eterrell@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+From: Ryan Harper <ryan.harper@canonical.com>
+
+Increasing the bits of security from 52 to 115.
+
+LP: #1860795
+(cherry picked from commit 42788bf24a1a0a5421a2d00a7f59b59e38ba1a14)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ cloudinit/config/cc_set_passwords.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py
+index c3c5b0f..0742234 100755
+--- a/cloudinit/config/cc_set_passwords.py
++++ b/cloudinit/config/cc_set_passwords.py
+@@ -236,7 +236,7 @@ def handle(_name, cfg, cloud, log, args):
+ raise errors[-1]
+
+
+-def rand_user_password(pwlen=9):
++def rand_user_password(pwlen=20):
+ return util.rand_str(pwlen, select_from=PW_SET)
+
+
+--
+1.8.3.1
+
diff --git a/SOURCES/ci-utils-use-SystemRandom-when-generating-random-passwo.patch b/SOURCES/ci-utils-use-SystemRandom-when-generating-random-passwo.patch
new file mode 100644
index 0000000..6f75385
--- /dev/null
+++ b/SOURCES/ci-utils-use-SystemRandom-when-generating-random-passwo.patch
@@ -0,0 +1,46 @@
+From ebbc83c1ca52620179d94dc1d92c44883273e4ef Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Thu, 28 May 2020 08:44:02 +0200
+Subject: [PATCH 2/4] utils: use SystemRandom when generating random password.
+ (#204)
+
+RH-Author: jmaloy <jmaloy@redhat.com>
+Message-id: <20200313184329.16696-2-jmaloy@redhat.com>
+Patchwork-id: 94294
+O-Subject: [RHEL-8.2 cloud-init PATCH 1/1] utils: use SystemRandom when generating random password. (#204)
+Bugzilla: 1812174
+RH-Acked-by: Eduardo Otubo <eterrell@redhat.com>
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Acked-by: Mohammed Gamal <mgamal@redhat.com>
+
+From: Dimitri John Ledkov <xnox@ubuntu.com>
+
+As noticed by Seth Arnold, non-deterministic SystemRandom should be
+used when creating security sensitive random strings.
+
+(cherry picked from commit 3e2f7356effc9e9cccc5ae945846279804eedc46)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ cloudinit/util.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/cloudinit/util.py b/cloudinit/util.py
+index 9d9d5c7..5d51ba8 100644
+--- a/cloudinit/util.py
++++ b/cloudinit/util.py
+@@ -401,9 +401,10 @@ def translate_bool(val, addons=None):
+
+
+ def rand_str(strlen=32, select_from=None):
++ r = random.SystemRandom()
+ if not select_from:
+ select_from = string.ascii_letters + string.digits
+- return "".join([random.choice(select_from) for _x in range(0, strlen)])
++ return "".join([r.choice(select_from) for _x in range(0, strlen)])
+
+
+ def rand_dict_key(dictionary, postfix=None):
+--
+1.8.3.1
+
diff --git a/SPECS/cloud-init.spec b/SPECS/cloud-init.spec
index 57774e7..878b169 100644
--- a/SPECS/cloud-init.spec
+++ b/SPECS/cloud-init.spec
@@ -6,7 +6,7 @@
Name: cloud-init
Version: 19.4
-Release: 1%{?dist}
+Release: 3%{?dist}
Summary: Cloud instance init scripts
Group: System Environment/Base
@@ -22,6 +22,16 @@ Patch0004: 0004-sysconfig-Don-t-write-BOOTPROTO-dhcp-for-ipv6-dhcp.patch
Patch0005: 0005-DataSourceAzure.py-use-hostnamectl-to-set-hostname.patch
Patch0006: 0006-include-NOZEROCONF-yes-in-etc-sysconfig-network.patch
Patch0007: 0007-Remove-race-condition-between-cloud-init-and-Network.patch
+# For bz#1812171 - CVE-2020-8632 cloud-init: Too short random password length in cc_set_password in config/cc_set_passwords.py [rhel-8]
+Patch8: ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch
+# For bz#1812174 - CVE-2020-8631 cloud-init: Use of random.choice when generating random password [rhel-8]
+Patch9: ci-utils-use-SystemRandom-when-generating-random-passwo.patch
+# For bz#1814152 - CVE-2018-10896 cloud-init: default configuration disabled deletion of SSH host keys [rhel-8]
+Patch10: ci-Enable-ssh_deletekeys-by-default.patch
+# For bz#1840648 - [cloud-init][RHEL-8.2.0] /etc/resolv.conf lose config after reboot (initial instance is ok)
+Patch11: ci-Remove-race-condition-between-cloud-init-and-Network.patch
+# For bz#1803928 - [RHEL8.3] Race condition of starting cloud-init and NetworkManager
+Patch12: ci-Make-cloud-init.service-execute-after-network-is-up.patch
BuildArch: noarch
@@ -205,6 +215,25 @@ fi
%config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
%changelog
+* Mon Jun 01 2020 Miroslav Rezanina <mrezanin@redhat.com> - 19.4-3.el8
+- ci-Make-cloud-init.service-execute-after-network-is-up.patch [bz#1803928]
+- Resolves: bz#1803928
+ ([RHEL8.3] Race condition of starting cloud-init and NetworkManager)
+
+* Thu May 28 2020 Miroslav Rezanina <mrezanin@redhat.com> - 19.4-2.el8
+- ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch [bz#1812171]
+- ci-utils-use-SystemRandom-when-generating-random-passwo.patch [bz#1812174]
+- ci-Enable-ssh_deletekeys-by-default.patch [bz#1814152]
+- ci-Remove-race-condition-between-cloud-init-and-Network.patch [bz#1840648]
+- Resolves: bz#1812171
+ (CVE-2020-8632 cloud-init: Too short random password length in cc_set_password in config/cc_set_passwords.py [rhel-8])
+- Resolves: bz#1812174
+ (CVE-2020-8631 cloud-init: Use of random.choice when generating random password [rhel-8])
+- Resolves: bz#1814152
+ (CVE-2018-10896 cloud-init: default configuration disabled deletion of SSH host keys [rhel-8])
+- Resolves: bz#1840648
+ ([cloud-init][RHEL-8.2.0] /etc/resolv.conf lose config after reboot (initial instance is ok))
+
* Mon Apr 20 2020 Miroslav Rezanina <mrezanin@redhat.coM> - 19.4-1.el8
- Rebase to cloud-init 19.4 [bz#1803095]
- Resolves: bz#1803095