Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: pu
libapache-authenhook-perl logs passwords in Apache's error.log if the
log level is >= info[1]. I prepared an update for Lenny including the
same patch used for testing/unstable (already unblocked[2] as well).
The security team sees this as a minor issue that should not get a DSA
and be fixed in the next point release.
Shall I go ahead and upload the package to proposed-updates?
Regards,
Ansgar
[1] <http://bugs.debian.org/599712>
[2] <http://bugs.debian.org/599779>
diff -u libapache-authenhook-perl-2.00-04+pristine/debian/changelog libapache-authenhook-perl-2.00-04+pristine/debian/changelog
--- libapache-authenhook-perl-2.00-04+pristine/debian/changelog
+++ libapache-authenhook-perl-2.00-04+pristine/debian/changelog
@@ -1,3 +1,9 @@
+libapache-authenhook-perl (2.00-04+pristine-1+lenny1) stable; urgency=high
+
+ * [CVE-2010-3845] Remove passwords from log messages. (Closes: #599712)
+
+ -- Ansgar Burchardt <ans...@debian.org> Wed, 13 Oct 2010 23:17:55 +0200
+
libapache-authenhook-perl (2.00-04+pristine-1) unstable; urgency=low
[ gregor herrmann ]
only in patch2:
unchanged:
--- libapache-authenhook-perl-2.00-04+pristine.orig/AuthenHook.xs
+++ libapache-authenhook-perl-2.00-04+pristine/AuthenHook.xs
@@ -180,8 +180,8 @@
case OK:
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
- "Apache::AuthenHook - user '%s', password '%s' verified",
- user, password);
+ "Apache::AuthenHook - user '%s' verified",
+ user);
status = AUTH_GRANTED;
break;
@@ -196,8 +196,8 @@
default:
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
- "Apache::AuthenHook - user '%s', password '%s' denied",
- user, password);
+ "Apache::AuthenHook - user '%s' denied",
+ user);
status = AUTH_DENIED;
};
