Your message dated Sat, 23 Oct 2010 19:54:40 +0000
with message-id <e1p9kaq-0003gy...@franck.debian.org>
and subject line Bug#599712: fixed in libapache-authenhook-perl
2.00-04+pristine-1+lenny1
has caused the Debian Bug report #599712,
regarding libapache-authenhook-perl: leaks passwords to the logs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
599712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599712
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libapache-authenhook-perl
Version: 2.00-04+pristine-1+b1
Severity: grave
Tags: security
Justification: user security hole
Apache::AuthenHook seemingly logs _all_ usernames and passwords, in clear text,
to the vhost's error log:
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Apache::AuthenHook - user '%s', password '%s' verified",
user, password);
As far as I can see, this behavior is not documented, and impossible to turn
off (it's hard-coded in the C file) except by raising the log level.
I've verified that they do indeed show up in the vhost's logs:
[Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43] Apache::AuthenHook -
user 'Sesse', password '<censored for this bug report>' verified
There's no good reason for this except for debugging, and even in that case,
it should only be possible to enable for the Apache admin.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.35 (SMP w/1 CPU core)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: libapache-authenhook-perl
Source-Version: 2.00-04+pristine-1+lenny1
We believe that the bug you reported is fixed in the latest version of
libapache-authenhook-perl, which is due to be installed in the Debian FTP
archive:
libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
to
main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
to
main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
to
main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 599...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ansgar Burchardt <ans...@debian.org> (supplier of updated
libapache-authenhook-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Oct 2010 23:17:55 +0200
Source: libapache-authenhook-perl
Binary: libapache-authenhook-perl
Architecture: amd64 source
Version: 2.00-04+pristine-1+lenny1
Distribution: stable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Ansgar Burchardt <ans...@debian.org>
Closes: 599712
Description:
libapache-authenhook-perl - Perl API for Apache 2.1 authentication
Changes:
libapache-authenhook-perl (2.00-04+pristine-1+lenny1) stable; urgency=high
.
* [CVE-2010-3845] Remove passwords from log messages. (Closes: #599712)
Checksums-Sha1:
5ef020e618d02fc7b45a30862e22e48e236b6df9 16362
libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
10eee4c1e632c49b39f5ee899b52b94ddf3f98b6 2268
libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
0a341963ba86764fecb2575dd1bd4500178bbc96 3000
libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
Checksums-Sha256:
b76e5f3330f6bb42db9bd2d00d42ef941a840845e344401b4a524fdbefd030bb 16362
libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
3e772e37526356a8ea40071cde884de1b7ac7a9bbce5819bfad99e9a729a439b 2268
libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
76a192fa1789e6a2c46ccb53dcd808e62ffced400e65589cdf3a15b7fc7a6836 3000
libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
Files:
9dc5c1aa03a91a3cb988c008311cf2d6 16362 perl optional
libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
13ab1e5b28b5e11e143ff878d77c7db2 2268 perl optional
libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
f842c1269f09956c92e0fc01b3faa881 3000 perl optional
libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCgAGBQJMwhQpAAoJEIATJTTdNH3IMfwP/AnR+iaK4iclKtkUuUz3wNSB
xWLsfrLRqGtuVNefhlDT57DhNPBt4udRvLB1It7t/POADXEpTugWD74YhtHzoHoz
mcttC+tl3K1I2VNdMPpzXTrkORGUTno5m/xpXEgqPw9408Yy7cqE/4qLnEfNOvdW
DeDJxJzm9cbc3h2AjCEjZfUpotfs5FOJiAbszkeb0UlvNatwAcExYoS9ctbhKYlL
/lP+h3MKY5kWXl3izEDHCQ3kvkBnTkBot6Y/7OamG7KOSGmbnNXH4aw9o7yiLZqe
wn6SuLpy8qxta8eiNZc1q6SIfqP8wsJD9bESZGPxVP5qF/ZH5wK7aLFBKQk/NUtm
hGRTCP28fTl2JDqshMbfNYtIyMCrow5DawC/5iFWo9IrRIW4g6VHU0VVkn78vklt
efBAVtj5xokU/6mzgfpRXeCjG3MaZh5Hg59qdBAQuauhQ+tzkQzQG6akjj5UaAGW
68hDL73yyjqbAf4nRvKY8Dr5cGG6bOWsd7AVNYuymi64lGGdgzI7n08xRPaF7I6M
uhef2rVXkEeGvauhrBGpxzVkB52EjlTN4/AaH55UJ7tFNVwjZhfWCXgJXhKdUprC
wA41gcFaXTCdhATtxu9TpUeJW/fK4gkrfpJ6GXkFWPNKghUEFDG4cHqQSGAb2/5F
G7Qt4mMBmdH0bWNdjn15
=YOTC
-----END PGP SIGNATURE-----
--- End Message ---
