Package: xdm Version: 1:1.1.11-3 Severity: normal Dear Maintainer, When somebody tries to log in and fails, xdm writes the given user name in the system logs. Unfortunately, typing the password in the login field is a common mistake. When that happens, xdm logs it too. That leaves the password of an user in clear in the system logs. It is not very important, but still a little security concern since normally passwords are stored permanently on the system only in hashed form. The corresponding log line looks like this: Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXXXXXXXXXX (I have redacted the login that was actually a password.) It may be better to not log it at all, or maybe only log it when it matches an actual login name. Regards, -- Nicolas George -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages xdm depends on: ii cpp 4:6.3.0-4 ii debconf [debconf-2.0] 1.5.61 ii libc6 2.24-11+deb9u1 ii libpam0g 1.1.8-3.6 ii libselinux1 2.6-3+b1 ii libx11-6 2:1.6.4-3 ii libxau6 1:1.0.8-1 ii libxaw7 2:1.0.13-1+b2 ii libxdmcp6 1:1.1.2-3 ii libxext6 2:1.3.3-1+b2 ii libxft2 2.3.2-1+b2 ii libxinerama1 2:1.1.3-1+b3 ii libxmu6 2:1.1.2-2 ii libxpm4 1:3.5.12-1 ii libxrender1 1:0.9.10-1 ii libxt6 1:1.1.5-1 ii lsb-base 9.20161125 ii procps 2:3.3.12-3 ii x11-utils 7.7+3+b1 ii x11-xserver-utils 7.7+7+b1 xdm recommends no packages. xdm suggests no packages. -- debconf information: xdm/daemon_name: /usr/bin/xdm * shared/default-x-display-manager: xdm xdm/stop_running_server_with_children: false
Attachment:
signature.asc
Description: Digital signature