diff --git a/backport-fix-Logging-sensitive-data.patch b/backport-fix-Logging-sensitive-data.patch new file mode 100644 index 0000000000000000000000000000000000000000..0e31d45b63a34d7ecfab4794a10a486fece8be80 --- /dev/null +++ b/backport-fix-Logging-sensitive-data.patch @@ -0,0 +1,56 @@ +From 2f9812e805f8e66feaf2689384ea6d669305d9a5 Mon Sep 17 00:00:00 2001 +From: Brett Holman +Date: Wed, 3 Apr 2024 13:51:25 -0600 +Subject: [PATCH] fix: Logging sensitive data + +Don't log sensitive data. + +Since /var/log/cloud-init.log is a priviledged file, this does not expose a +secure system (no CVE). However, we don't want to log this information so that +users can file reports without having to manually redact logs. + +Standardize log messages so that redacted and non-redacted logs match. + +Reference:https://github.com/canonical/cloud-init/commit/2f9812e8 +--- + cloudinit/subp.py | 24 +++++++++--------------- + 1 file changed, 9 insertions(+), 15 deletions(-) + +diff --git a/cloudinit/subp.py b/cloudinit/subp.py +index 85a970f..9347f4f 100644 +--- a/cloudinit/subp.py ++++ b/cloudinit/subp.py +@@ -229,21 +229,15 @@ def subp( + if status_cb: + command = " ".join(args) if isinstance(args, list) else args + status_cb("Begin run command: {command}\n".format(command=command)) +- if not logstring: +- LOG.debug( +- "Running command %s with allowed return codes %s" +- " (shell=%s, capture=%s)", +- args, +- rcs, +- shell, +- "combine" if combine_capture else capture, +- ) +- else: +- LOG.debug( +- "Running hidden command to protect sensitive " +- "input/output logstring: %s", +- logstring, +- ) ++ ++ LOG.debug( ++ "Running command %s with allowed return codes %s" ++ " (shell=%s, capture=%s)", ++ logstring if logstring else args, ++ rcs, ++ shell, ++ "combine" if combine_capture else capture, ++ ) + + stdin: Union[TextIOWrapper, int] + stdout = None +-- +2.27.0 + diff --git a/cloud-init.spec b/cloud-init.spec index 048c105d0e356f3c93a6251826da93fe264e2e88..97b9866fdd5b65df96ccd8a956d65c8e1b1327b7 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 23.4.1 -Release: 2 +Release: 3 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -19,6 +19,7 @@ Patch6001: backport-test-fix-tmpdir-in-test_cc_apk_configure.patch Patch6002: backport-bug-tests-mock-reads-of-host-s-sys-class-net-via-get.patch Patch6003: backport-tests-drop-CiTestCase-and-convert-to-pytest.patch Patch6004: backport-test-fix-disable_sysfs_net-mock.patch +Patch6005: backport-fix-Logging-sensitive-data.patch BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd BuildRequires: iproute python3-configobj python3-responses @@ -149,6 +150,12 @@ fi %exclude /usr/share/doc/* %changelog +* Fri Apr 12 2024 shixuantong - 23.4.1-3 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix: Logging sensitive data + * Wed Apr 03 2024 shixuantong - 23.4.1-2 - Type:bugfix - CVE:NA