[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#600136: marked as done (pu: package libapache-authenhook-perl/2.00-04+pristine-1+lenny1)

Your message dated Sun, 28 Nov 2010 19:20:26 +0000
with message-id <1290972026.6247.10230.camel@hathi.jungle.funky-badger.org>
and subject line Closing stable updates from 5.0.6
has caused the Debian Bug report #600136,
regarding pu: package libapache-authenhook-perl/2.00-04+pristine-1+lenny1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

600136: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600136
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

libapache-authenhook-perl logs passwords in Apache's error.log if the
log level is >= info[1].  I prepared an update for Lenny including the
same patch used for testing/unstable (already unblocked[2] as well).

The security team sees this as a minor issue that should not get a DSA
and be fixed in the next point release.

Shall I go ahead and upload the package to proposed-updates?


[1] <http://bugs.debian.org/599712>
[2] <http://bugs.debian.org/599779>
diff -u libapache-authenhook-perl-2.00-04+pristine/debian/changelog libapache-authenhook-perl-2.00-04+pristine/debian/changelog
--- libapache-authenhook-perl-2.00-04+pristine/debian/changelog
+++ libapache-authenhook-perl-2.00-04+pristine/debian/changelog
@@ -1,3 +1,9 @@
+libapache-authenhook-perl (2.00-04+pristine-1+lenny1) stable; urgency=high
+  * [CVE-2010-3845] Remove passwords from log messages. (Closes: #599712)
+ -- Ansgar Burchardt <ansgar@debian.org>  Wed, 13 Oct 2010 23:17:55 +0200
 libapache-authenhook-perl (2.00-04+pristine-1) unstable; urgency=low
   [ gregor herrmann ]
only in patch2:
--- libapache-authenhook-perl-2.00-04+pristine.orig/AuthenHook.xs
+++ libapache-authenhook-perl-2.00-04+pristine/AuthenHook.xs
@@ -180,8 +180,8 @@
     case OK:
       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "Apache::AuthenHook - user '%s', password '%s' verified",
-                    user, password);
+                    "Apache::AuthenHook - user '%s' verified",
+                    user);
       status = AUTH_GRANTED;
@@ -196,8 +196,8 @@
       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "Apache::AuthenHook - user '%s', password '%s' denied",
-                    user, password);
+                    "Apache::AuthenHook - user '%s' denied",
+                    user);
       status = AUTH_DENIED;

--- End Message ---
--- Begin Message ---
Version: 5.0.6

Each of these bugs relates to a stable update which was released as part
of the 5.0.6 point release; marking as resolved.



--- End Message ---

Reply to: