diff --git a/SOURCES/ci-Enable-ssh_deletekeys-by-default.patch b/SOURCES/ci-Enable-ssh_deletekeys-by-default.patch new file mode 100644 index 0000000..866fdb6 --- /dev/null +++ b/SOURCES/ci-Enable-ssh_deletekeys-by-default.patch @@ -0,0 +1,41 @@ +From 251836a62eb3061b8d26177fd5997a96dccec21b Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Thu, 28 May 2020 08:44:06 +0200 +Subject: [PATCH 3/4] Enable ssh_deletekeys by default + +RH-Author: Eduardo Otubo +Message-id: <20200317091705.15715-1-otubo@redhat.com> +Patchwork-id: 94365 +O-Subject: [RHEL-7.9/RHEL-8.2.0 cloud-init PATCH] Enable ssh_deletekeys by default +Bugzilla: 1814152 +RH-Acked-by: Mohammed Gamal +RH-Acked-by: Vitaly Kuznetsov + +The configuration option ssh_deletekeys will trigger the generation +of new ssh keys for every new instance deployed. + +x-downstream-only: yes +resolves: rhbz#1814152 + +Signed-off-by: Eduardo Otubo +Signed-off-by: Miroslav Rezanina +--- + rhel/cloud.cfg | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel/cloud.cfg b/rhel/cloud.cfg +index 82e8bf6..9ecba21 100644 +--- a/rhel/cloud.cfg ++++ b/rhel/cloud.cfg +@@ -6,7 +6,7 @@ ssh_pwauth: 0 + + mount_default_fields: [~, ~, 'auto', 'defaults,nofail,x-systemd.requires=cloud-init.service', '0', '2'] + resize_rootfs_tmp: /dev +-ssh_deletekeys: 0 ++ssh_deletekeys: 1 + ssh_genkeytypes: ~ + syslog_fix_perms: ~ + disable_vmware_customization: false +-- +1.8.3.1 + diff --git a/SOURCES/ci-Make-cloud-init.service-execute-after-network-is-up.patch b/SOURCES/ci-Make-cloud-init.service-execute-after-network-is-up.patch new file mode 100644 index 0000000..74bb8ac --- /dev/null +++ b/SOURCES/ci-Make-cloud-init.service-execute-after-network-is-up.patch @@ -0,0 +1,40 @@ +From 301b1770d3e2580c3ee168261a9a97d143cc5f59 Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Mon, 1 Jun 2020 11:58:06 +0200 +Subject: [PATCH] Make cloud-init.service execute after network is up + +RH-Author: Eduardo Otubo +Message-id: <20200526090804.2047-1-otubo@redhat.com> +Patchwork-id: 96809 +O-Subject: [RHEL-8.2.1 cloud-init PATCH] Make cloud-init.service execute after network is up +Bugzilla: 1803928 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Miroslav Rezanina + +cloud-init.service needs to wait until network is fully up before +continuing executing and configuring its service. + +Signed-off-by: Eduardo Otubo + +x-downstream-only: yes +Resolves: rhbz#1831646 +Signed-off-by: Miroslav Rezanina +--- + rhel/systemd/cloud-init.service | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rhel/systemd/cloud-init.service b/rhel/systemd/cloud-init.service +index d0023a0..0b3d796 100644 +--- a/rhel/systemd/cloud-init.service ++++ b/rhel/systemd/cloud-init.service +@@ -5,6 +5,7 @@ Wants=sshd-keygen.service + Wants=sshd.service + After=cloud-init-local.service + After=NetworkManager.service network.service ++After=NetworkManager-wait-online.service + Before=network-online.target + Before=sshd-keygen.service + Before=sshd.service +-- +1.8.3.1 + diff --git a/SOURCES/ci-Remove-race-condition-between-cloud-init-and-Network.patch b/SOURCES/ci-Remove-race-condition-between-cloud-init-and-Network.patch new file mode 100644 index 0000000..d8c99fd --- /dev/null +++ b/SOURCES/ci-Remove-race-condition-between-cloud-init-and-Network.patch @@ -0,0 +1,52 @@ +From 0422ba0e773d1a8257a3f2bf3db05f3bc7917eb7 Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Thu, 28 May 2020 08:44:08 +0200 +Subject: [PATCH 4/4] Remove race condition between cloud-init and + NetworkManager + +RH-Author: Eduardo Otubo +Message-id: <20200327121911.17699-1-otubo@redhat.com> +Patchwork-id: 94453 +O-Subject: [RHEL-7.9/RHEL-8.2.0 cloud-init PATCHv2] Remove race condition between cloud-init and NetworkManager +Bugzilla: 1840648 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Cathy Avery + +cloud-init service is set to start before NetworkManager service starts, +but this does not avoid a race condition between them. NetworkManager +starts before cloud-init can write `dns=none' to the file: +/etc/NetworkManager/conf.d/99-cloud-init.conf. This way NetworkManager +doesn't read the configuration and erases all resolv.conf values upon +shutdown. On the next reboot neither cloud-init or NetworkManager will +write anything to resolv.conf, leaving it blank. + +This patch introduces a NM reload (try-reload-or-restart) at the end of cloud-init +start up so it won't erase resolv.conf upon first shutdown. + +x-downstream-only: yes + +Signed-off-by: Eduardo Otubo otubo@redhat.com +Signed-off-by: Miroslav Rezanina +--- + rhel/systemd/cloud-final.service | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rhel/systemd/cloud-final.service b/rhel/systemd/cloud-final.service +index f303483..05add07 100644 +--- a/rhel/systemd/cloud-final.service ++++ b/rhel/systemd/cloud-final.service +@@ -11,8 +11,8 @@ ExecStart=/usr/bin/cloud-init modules --mode=final + RemainAfterExit=yes + TimeoutSec=0 + KillMode=process +-ExecStartPost=/bin/echo "try restart NetworkManager.service" +-ExecStartPost=/usr/bin/systemctl try-restart NetworkManager.service ++ExecStartPost=/bin/echo "trying to reload or restart NetworkManager.service" ++ExecStartPost=/usr/bin/systemctl try-reload-or-restart NetworkManager.service + + # Output needs to appear in instance console output + StandardOutput=journal+console +-- +1.8.3.1 + diff --git a/SOURCES/ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch b/SOURCES/ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch new file mode 100644 index 0000000..a49ca1e --- /dev/null +++ b/SOURCES/ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch @@ -0,0 +1,42 @@ +From e7a0cd9aa71dfd7715eca4b393db0aa348e05f8f Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Thu, 28 May 2020 08:43:58 +0200 +Subject: [PATCH 1/4] cc_set_password: increase random pwlength from 9 to 20 + (#189) + +RH-Author: jmaloy +Message-id: <20200313015002.3297-2-jmaloy@redhat.com> +Patchwork-id: 94253 +O-Subject: [RHEL-8.2 cloud-init PATCH 1/1] cc_set_password: increase random pwlength from 9 to 20 (#189) +Bugzilla: 1812171 +RH-Acked-by: Eduardo Otubo +RH-Acked-by: Miroslav Rezanina + +From: Ryan Harper + +Increasing the bits of security from 52 to 115. + +LP: #1860795 +(cherry picked from commit 42788bf24a1a0a5421a2d00a7f59b59e38ba1a14) +Signed-off-by: Jon Maloy +Signed-off-by: Miroslav Rezanina +--- + cloudinit/config/cc_set_passwords.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py +index c3c5b0f..0742234 100755 +--- a/cloudinit/config/cc_set_passwords.py ++++ b/cloudinit/config/cc_set_passwords.py +@@ -236,7 +236,7 @@ def handle(_name, cfg, cloud, log, args): + raise errors[-1] + + +-def rand_user_password(pwlen=9): ++def rand_user_password(pwlen=20): + return util.rand_str(pwlen, select_from=PW_SET) + + +-- +1.8.3.1 + diff --git a/SOURCES/ci-utils-use-SystemRandom-when-generating-random-passwo.patch b/SOURCES/ci-utils-use-SystemRandom-when-generating-random-passwo.patch new file mode 100644 index 0000000..6f75385 --- /dev/null +++ b/SOURCES/ci-utils-use-SystemRandom-when-generating-random-passwo.patch @@ -0,0 +1,46 @@ +From ebbc83c1ca52620179d94dc1d92c44883273e4ef Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Thu, 28 May 2020 08:44:02 +0200 +Subject: [PATCH 2/4] utils: use SystemRandom when generating random password. + (#204) + +RH-Author: jmaloy +Message-id: <20200313184329.16696-2-jmaloy@redhat.com> +Patchwork-id: 94294 +O-Subject: [RHEL-8.2 cloud-init PATCH 1/1] utils: use SystemRandom when generating random password. (#204) +Bugzilla: 1812174 +RH-Acked-by: Eduardo Otubo +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Mohammed Gamal + +From: Dimitri John Ledkov + +As noticed by Seth Arnold, non-deterministic SystemRandom should be +used when creating security sensitive random strings. + +(cherry picked from commit 3e2f7356effc9e9cccc5ae945846279804eedc46) +Signed-off-by: Jon Maloy +Signed-off-by: Miroslav Rezanina +--- + cloudinit/util.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/cloudinit/util.py b/cloudinit/util.py +index 9d9d5c7..5d51ba8 100644 +--- a/cloudinit/util.py ++++ b/cloudinit/util.py +@@ -401,9 +401,10 @@ def translate_bool(val, addons=None): + + + def rand_str(strlen=32, select_from=None): ++ r = random.SystemRandom() + if not select_from: + select_from = string.ascii_letters + string.digits +- return "".join([random.choice(select_from) for _x in range(0, strlen)]) ++ return "".join([r.choice(select_from) for _x in range(0, strlen)]) + + + def rand_dict_key(dictionary, postfix=None): +-- +1.8.3.1 + diff --git a/SPECS/cloud-init.spec b/SPECS/cloud-init.spec index 57774e7..878b169 100644 --- a/SPECS/cloud-init.spec +++ b/SPECS/cloud-init.spec @@ -6,7 +6,7 @@ Name: cloud-init Version: 19.4 -Release: 1%{?dist} +Release: 3%{?dist} Summary: Cloud instance init scripts Group: System Environment/Base @@ -22,6 +22,16 @@ Patch0004: 0004-sysconfig-Don-t-write-BOOTPROTO-dhcp-for-ipv6-dhcp.patch Patch0005: 0005-DataSourceAzure.py-use-hostnamectl-to-set-hostname.patch Patch0006: 0006-include-NOZEROCONF-yes-in-etc-sysconfig-network.patch Patch0007: 0007-Remove-race-condition-between-cloud-init-and-Network.patch +# For bz#1812171 - CVE-2020-8632 cloud-init: Too short random password length in cc_set_password in config/cc_set_passwords.py [rhel-8] +Patch8: ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch +# For bz#1812174 - CVE-2020-8631 cloud-init: Use of random.choice when generating random password [rhel-8] +Patch9: ci-utils-use-SystemRandom-when-generating-random-passwo.patch +# For bz#1814152 - CVE-2018-10896 cloud-init: default configuration disabled deletion of SSH host keys [rhel-8] +Patch10: ci-Enable-ssh_deletekeys-by-default.patch +# For bz#1840648 - [cloud-init][RHEL-8.2.0] /etc/resolv.conf lose config after reboot (initial instance is ok) +Patch11: ci-Remove-race-condition-between-cloud-init-and-Network.patch +# For bz#1803928 - [RHEL8.3] Race condition of starting cloud-init and NetworkManager +Patch12: ci-Make-cloud-init.service-execute-after-network-is-up.patch BuildArch: noarch @@ -205,6 +215,25 @@ fi %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf %changelog +* Mon Jun 01 2020 Miroslav Rezanina - 19.4-3.el8 +- ci-Make-cloud-init.service-execute-after-network-is-up.patch [bz#1803928] +- Resolves: bz#1803928 + ([RHEL8.3] Race condition of starting cloud-init and NetworkManager) + +* Thu May 28 2020 Miroslav Rezanina - 19.4-2.el8 +- ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch [bz#1812171] +- ci-utils-use-SystemRandom-when-generating-random-passwo.patch [bz#1812174] +- ci-Enable-ssh_deletekeys-by-default.patch [bz#1814152] +- ci-Remove-race-condition-between-cloud-init-and-Network.patch [bz#1840648] +- Resolves: bz#1812171 + (CVE-2020-8632 cloud-init: Too short random password length in cc_set_password in config/cc_set_passwords.py [rhel-8]) +- Resolves: bz#1812174 + (CVE-2020-8631 cloud-init: Use of random.choice when generating random password [rhel-8]) +- Resolves: bz#1814152 + (CVE-2018-10896 cloud-init: default configuration disabled deletion of SSH host keys [rhel-8]) +- Resolves: bz#1840648 + ([cloud-init][RHEL-8.2.0] /etc/resolv.conf lose config after reboot (initial instance is ok)) + * Mon Apr 20 2020 Miroslav Rezanina - 19.4-1.el8 - Rebase to cloud-init 19.4 [bz#1803095] - Resolves: bz#1803095