Your message dated Mon, 11 Oct 2010 05:47:06 +0000 with message-id <e1p5be2-0002jr...@franck.debian.org> and subject line Bug#599712: fixed in libapache-authenhook-perl 2.00-04+pristine-2 has caused the Debian Bug report #599712, regarding libapache-authenhook-perl: leaks passwords to the logs to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 599712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599712 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libapache-authenhook-perl Version: 2.00-04+pristine-1+b1 Severity: grave Tags: security Justification: user security hole Apache::AuthenHook seemingly logs _all_ usernames and passwords, in clear text, to the vhost's error log: ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "Apache::AuthenHook - user '%s', password '%s' verified", user, password); As far as I can see, this behavior is not documented, and impossible to turn off (it's hard-coded in the C file) except by raising the log level. I've verified that they do indeed show up in the vhost's logs: [Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43] Apache::AuthenHook - user 'Sesse', password '<censored for this bug report>' verified There's no good reason for this except for debugging, and even in that case, it should only be possible to enable for the Apache admin. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.35 (SMP w/1 CPU core) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---Source: libapache-authenhook-perl Source-Version: 2.00-04+pristine-2 We believe that the bug you reported is fixed in the latest version of libapache-authenhook-perl, which is due to be installed in the Debian FTP archive: libapache-authenhook-perl_2.00-04+pristine-2.diff.gz to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-2.diff.gz libapache-authenhook-perl_2.00-04+pristine-2.dsc to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-2.dsc libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 599...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ivan Kohler <ivan-deb...@420.am> (supplier of updated libapache-authenhook-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 10 Oct 2010 22:21:46 -0700 Source: libapache-authenhook-perl Binary: libapache-authenhook-perl Architecture: source amd64 Version: 2.00-04+pristine-2 Distribution: unstable Urgency: low Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: Ivan Kohler <ivan-deb...@420.am> Description: libapache-authenhook-perl - Perl API for Apache 2.1 authentication Closes: 599712 Changes: libapache-authenhook-perl (2.00-04+pristine-2) unstable; urgency=low . [ gregor herrmann ] * debian/control: Changed: Switched Vcs-Browser field to ViewSVN (source stanza). . [ Ivan Kohler ] * Remove passwords from log messages (Closes: #599712) * Add myself to Uploaders: Checksums-Sha1: cf9f39ccb2325954d25cd746003bc32f311d16e9 1637 libapache-authenhook-perl_2.00-04+pristine-2.dsc 5f32caba35cd4c95966ee8d553a12c5ac136e6fb 3053 libapache-authenhook-perl_2.00-04+pristine-2.diff.gz f8e6ef9224ec7cd4160afb638702940aa14e9d0b 16272 libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb Checksums-Sha256: a0a162c2cdd8a57ffca7b40f0b89c935ca49775ddbaee8c506b0593e9fc8669d 1637 libapache-authenhook-perl_2.00-04+pristine-2.dsc 05e04764f0bdf22f84207d83dc7166fef6f5fc57f9364dfddeee0b94d279eaf5 3053 libapache-authenhook-perl_2.00-04+pristine-2.diff.gz 9e3d2e4978868ee527e607acd78ae21e2436bb53dce1a70877ff76a687bd9fff 16272 libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb Files: d597300c97408461bd514f9656c85eb4 1637 perl optional libapache-authenhook-perl_2.00-04+pristine-2.dsc 00d68dbf2421d1957961ccddcf92dceb 3053 perl optional libapache-authenhook-perl_2.00-04+pristine-2.diff.gz fa99813cec78414613d68883ef00b544 16272 perl optional libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkyyotUACgkQgYcvm1TBwckLQwCfRnWc+24VStuGd5K8t1u5tXZn 2BwAnirwulqA9SzVASNALBxBjfYNlm1t =Tkjf -----END PGP SIGNATURE-----
--- End Message ---
