On Mon, Jul 07, 2025 at 06:00:15PM +0000, Jeremy Stanley wrote:
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607 has
finally been switched to public upstream as of Friday, and contains a lot more of the rationale behind their breaking change decisions.
Thanks. My initial thinking about this issue mirrors what was
expressed by James Page in the launchpad comments. [1] In a typical
cloud environment, this would not be an issue, as it would not be
possible for a malicious user to hijack one of the link-local IMDS
addresses. However, as observed elsewhere, not all uses of cloud-init
are in actual cloud environments. [2] We provide downloadable VM images
that are usable with qemu in non-cloud environments. In those cases, it
is possible that there could be a malicious user on the local network
link with one of the IMDS addresses. It's an unlikely scenario, and
relies on quite a bit of coincidental network access and configuration,
but it can happen.
Given all of that, I think we should:
1. Update to the latest cloud-init upstream for trixie. It includes a
couple of other low-risk bug fixes, too.
2. Update cloud-init in a bookworm point release with a backport of the
fix. I haven't looked yet at the complexity involved in backporting
the fix to 22.4.2 yet, but will do so now.
Given the limited impact of the breaking change, I think documenting it
in debian/changelog is sufficient, and we don't need a NEWS entry.
Does anybody disagree with the above?
noah
1.
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607/comments/31
2.
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607/comments/32
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)