It was reported , that cloud-init could send requests for EC2 instance data to untrusted systems. This could allow someone who has control over a suitable domain name to obtain root rights on an affected system.
This issue was found and silently fixed in 2012; version 0.7.0 contains the fix .
Not vulnerable. This issue did not affect the versions of cloud-init as shipped with Red Hat Enterprise Linux OpenStack Platform 3.0.
Created cloud-init tracking bugs for this issue:
Affects: epel-5 [bug 1073592]
This does affect EPEL5, however, as it provides cloud-init 0.6.3. I do see now that EPEL 6 does in fact include 0.7.4.
A patch that fixes this bug was added the cloud-init in EPEL 5 back in 2012, so it's not vulnerable either.
Perfect, thanks Sam!