Package: rainloop Version: 1.12.1-2 Severity: important Dear Maintainer,
When writing into a logfile, rainloop writes the passwords of all login attempts (successful or not) into the logfile in cleartext. Rainloop provides an option 'hide_passwords' in the application.ini that should prohibit that behaviour, which is by default set to 'On'. But apparently this doesn't have any effect. There is already an unresolved github issue about that topic: https://github.com/RainLoop/rainloop-webmail/issues/1872 Even though this issue doesn't affect the actual usability of rainloop, I set the severity to 'Important' as this is a security issue. -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages rainloop depends on: ii apache2 [httpd] 2.4.38-3+deb10u3 ii ckeditor 4.11.1+dfsg-1 ii php-curl 2:7.3+69 ii php-fpm 2:7.3+69 ii php-nrk-predis 1.0.0-1 ii php-pclzip 2.8.2-4 ii php-seclib 1.0.14-1 ii php-xml 2:7.3+69 ii php7.3-curl [php-curl] 7.3.14-1~deb10u1 ii php7.3-fpm [php-fpm] 7.3.14-1~deb10u1 ii php7.3-json [php-json] 7.3.14-1~deb10u1 ii php7.3-xml [php-xml] 7.3.14-1~deb10u1 rainloop recommends no packages. Versions of packages rainloop suggests: pn php5-sqlite | php5-mysql | php5-pgsql <none> -- Configuration Files: /etc/rainloop/application.ini changed [not included] /etc/rainloop/rainloop.apache.conf changed [not included] -- no debconf information -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
