Bug#1029077: marked as done (debian-edu-config: leaks first user password in Debconf answers)
Your message dated Mon, 13 Feb 2023 17:03:56 +0000
with message-id <E1pRcFA-000Dpk-C9@fasolo.debian.org>
and subject line Bug#1029077: fixed in debian-edu-config 2.12.29
has caused the Debian Bug report #1029077,
regarding debian-edu-config: leaks first user password in Debconf answers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1029077: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029077
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: debian-edu-config: leaks first user password in Debconf answers
- From: Dominik George <natureshadow@debian.org>
- Date: Tue, 17 Jan 2023 14:23:33 +0100
- Message-id: <167396181321.51386.14644229065525104805.reportbug@frifot>
Source: debian-edu-config
Version: 2.12.25
Severity: normal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
It was discovered that the password for the first user (GOSa); and root
user if using the Debian Edu installer, is not cleared from the Debconf
answers database. It is also therefore available unencrypted in the
system memory on tjener, at least after the first ever debconf run.
The database is generally not world-readable, and regular users cannot
access arbitrary system memory, so this is not a critical security bug.
I still propose to clear the password from the Debconf database "as
soon as possible", as per the Debconf Programmer's Tutorial [1]:
You should consider clearing that value out of the database as soon
as is possible.
- -nik
[1] http://www.fifi.org/doc/debconf-doc/tutorial.html#AEN34
-----BEGIN PGP SIGNATURE-----
iMAEARYKAGgWIQSk6zxRYJYchegBkTEK5VTlRg4b3QUCY8ahVDEaaHR0cHM6Ly93
d3cuZG9taW5pay1nZW9yZ2UuZGUvZ3BnLXBvbGljeS50eHQuYXNjGBxuYXR1cmVz
aGFkb3dAZGViaWFuLm9yZwAKCRAK5VTlRg4b3aIyAQCOlYlZt6REMchQ9DSak5JD
5PmdwnD89Uc0K4U+feDu4QD6A8WwWgnV7ov3VJ0wupphIVopqGcnIxJrZH8LnYaW
cAY=
=Vrqx
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: debian-edu-config
Source-Version: 2.12.29
Done: Holger Levsen <holger@debian.org>
We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1029077@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated debian-edu-config package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 13 Feb 2023 17:48:44 +0100
Source: debian-edu-config
Architecture: source
Version: 2.12.29
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Holger Levsen <holger@debian.org>
Closes: 1029077
Changes:
debian-edu-config (2.12.29) unstable; urgency=medium
.
* d-i/finish install: remove first local user (and kdc and ldap if set)
passwords from debconf after setting them in the system. Thanks to
Wolfgang Schweer. Closes: #1029077.
* d-i/pre-pkgsel: only set kdc and ldap passwords on main-server, thanks to
Wolfgang Schweer.
Checksums-Sha1:
5b744999cfd3d6224c14e604cecdcfcdc334ebd9 2026 debian-edu-config_2.12.29.dsc
cfa8e145f948f4948545d5f8e734de518eb3e17f 353336 debian-edu-config_2.12.29.tar.xz
eb5eff281ec1c7579545a7cc77d0bb4859f7f50f 5886 debian-edu-config_2.12.29_source.buildinfo
Checksums-Sha256:
428ebd61408ad3893a2688df4cd4a16b002fb5666b71bed4e5960c33ec6fe07d 2026 debian-edu-config_2.12.29.dsc
75b71d227acec0dbabfac691b434c6f300f202542b14c8c2e3f7da7c99cae26b 353336 debian-edu-config_2.12.29.tar.xz
0c9d519dce43ddb2004d4e4602e8bb087b6f6866026e7b61c23d2bbb06a45d79 5886 debian-edu-config_2.12.29_source.buildinfo
Files:
7a92562104a95747689577e38f6f0abb 2026 misc optional debian-edu-config_2.12.29.dsc
b729daca09ce7f6aa1fdb36dc234d51d 353336 misc optional debian-edu-config_2.12.29.tar.xz
21223d728f3403110dc539f80eaa7af5 5886 misc optional debian-edu-config_2.12.29_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmPqbK8ACgkQCRq4Vgaa
qhypZhAAt9ZbcwfU/pmw/eYdAAPSm+TP1L/U9WvaWM63tJXr8dLqkxqtbDeqiknu
I2bPYXD7knbdXjmzr8/y3NQ8ylyV6pigfguAy1f7nuJ48JZd9ZORGf2eHFhra5VF
RVGTG8KcXnKeMv1WwZoMYWuENPgGMIbQsM7/eXpTC8nwZkxO09rgixXmJ2edDTLp
aIIUFwx/Xe2DfCryDMWA40uiiIInSIP/Cn8SguMl5lgIrUvWC5fvvSjjlhaHczLO
dRfBvysPgxUeobD5KxPrjhh5jFf+SPF+1E25Yq7t9XIT+iFF6KjqyhB7meC3G9hG
DN2ae9TREKNnUGmSWD9/jk6XwikDUb/DRDxKz2QAMjN9G0WwcQRyIaXnEVfbJxxt
yOZhczpZSlHSiUyYGRXd5yWvgIIl7y3prqxrcwwKepSF+n/YNmVS/VdRNHSGr3tl
NuI6xY/A9lg4F8/hH4r6pMVQrWRkUdyMFs0WpIHSaaPeQikZNgnX3gvPSOx+EbTX
HEmHFhvYiP/HZDueE+cDx3hIDgCOR6/XRRAW90KBQyQOBasAYXXP6p5eWje9aFcy
k546NnUmP7hOT1sM4HXvEjS3D5U9la5KBuHzJAwRmSkFObUm18N04TxTZnlQ3t63
XLcw1d6a1znDXhA7Y0NWwJw/5Esii/+apCwqr6Mqkqltx3H2bCY=
=naAv
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: