========================================================================= Ubuntu Security Notice USN-7677-1 July 28, 2025 cloud-init vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.04 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in cloud-init. Software Description: - cloud-init: initialization and customization tool for cloud instances Details: Harry Sintonen discovered that the hotplugd socket in cloud-init was world writable. An attacker could possibly use this issue to send hotplug-hook commands. (CVE-2024-11584) It was discovered that cloud-init granted root access to a hardcoded URL with a local IP address when a non-x86 platform is detected. An attacker could possibly impersonate an OpenStack endpoint and provide root configuration data. (CVE-2024-6174) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.04 cloud-init 25.1.4-0ubuntu0~25.04.1 cloud-init-base 25.1.4-0ubuntu0~25.04.1 Ubuntu 24.04 LTS cloud-init 25.1.4-0ubuntu0~24.04.1 Ubuntu 22.04 LTS cloud-init 25.1.4-0ubuntu0~22.04.1 Ubuntu 20.04 LTS cloud-init 24.4.1-0ubuntu0~20.04.3+esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS cloud-init 23.1.2-0ubuntu0~18.04.1+esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS cloud-init 21.1-19-gbad84ad4-0ubuntu1~16.04.4+esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7677-1 CVE-2024-11584, CVE-2024-6174 Package Information: https://launchpad.net/ubuntu/+source/cloud-init/25.1.4-0ubuntu0~25.04.1 https://launchpad.net/ubuntu/+source/cloud-init/25.1.4-0ubuntu0~24.04.1 https://launchpad.net/ubuntu/+source/cloud-init/25.1.4-0ubuntu0~22.04.1