Bug#600136: marked as done (pu: package libapache-authenhook-perl/2.00-04+pristine-1+lenny1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 28 Nov 2010 19:20:26 +0000
with message-id <1290972026.6247.10230.camel@hathi.jungle.funky-badger.org>
and subject line Closing stable updates from 5.0.6
has caused the Debian Bug report #600136,
regarding pu: package libapache-authenhook-perl/2.00-04+pristine-1+lenny1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
600136: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600136
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: pu: package libapache-authenhook-perl/2.00-04+pristine-1+lenny1
• From: Ansgar Burchardt <ansgar@2008.43-1.org>
• Date: Wed, 13 Oct 2010 23:24:23 +0200
• Message-id: <20101013212423.4088.99675.reportbug@marvin.43-1.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

libapache-authenhook-perl logs passwords in Apache's error.log if the
log level is >= info[1].  I prepared an update for Lenny including the
same patch used for testing/unstable (already unblocked[2] as well).

The security team sees this as a minor issue that should not get a DSA
and be fixed in the next point release.

Shall I go ahead and upload the package to proposed-updates?

Regards,
Ansgar

[1] <http://bugs.debian.org/599712>
[2] <http://bugs.debian.org/599779>

diff -u libapache-authenhook-perl-2.00-04+pristine/debian/changelog libapache-authenhook-perl-2.00-04+pristine/debian/changelog
--- libapache-authenhook-perl-2.00-04+pristine/debian/changelog
+++ libapache-authenhook-perl-2.00-04+pristine/debian/changelog
@@ -1,3 +1,9 @@
+libapache-authenhook-perl (2.00-04+pristine-1+lenny1) stable; urgency=high
+
+  * [CVE-2010-3845] Remove passwords from log messages. (Closes: #599712)
+
+ -- Ansgar Burchardt <ansgar@debian.org>  Wed, 13 Oct 2010 23:17:55 +0200
+
 libapache-authenhook-perl (2.00-04+pristine-1) unstable; urgency=low
 
   [ gregor herrmann ]
only in patch2:
unchanged:
--- libapache-authenhook-perl-2.00-04+pristine.orig/AuthenHook.xs
+++ libapache-authenhook-perl-2.00-04+pristine/AuthenHook.xs
@@ -180,8 +180,8 @@
 
     case OK:
       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "Apache::AuthenHook - user '%s', password '%s' verified",
-                    user, password);
+                    "Apache::AuthenHook - user '%s' verified",
+                    user);
 
       status = AUTH_GRANTED;
       break;
@@ -196,8 +196,8 @@
 
     default:
       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "Apache::AuthenHook - user '%s', password '%s' denied",
-                    user, password);
+                    "Apache::AuthenHook - user '%s' denied",
+                    user);
 
       status = AUTH_DENIED;
   };

--- End Message ---

--- Begin Message ---

• To: 596354-done@bugs.debian.org, 600136-done@bugs.debian.org, 602593-done@bugs.debian.org, 603720-done@bugs.debian.org
• Subject: Closing stable updates from 5.0.6
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sun, 28 Nov 2010 19:20:26 +0000
• Message-id: <1290972026.6247.10230.camel@hathi.jungle.funky-badger.org>

Version: 5.0.6

Each of these bugs relates to a stable update which was released as part
of the 5.0.6 point release; marking as resolved.

Regards,

Adam

--- End Message ---