Hello Daniel, I don't have the possibility to try out a newer version of rainloop, but according to a recent comment on the github issue [1] this is really fixed in version 1.14.0 of rainloop. So I assume that only applies to the current stable release.
Nevertheless I see this bug as grave enough that in my opinion this has to be mentioned prominently to users of the package or even better be fixed in a downstream patch (if the actual cause of the problem is known). Best regards Marco [1] https://github.com/RainLoop/rainloop-webmail/issues/1872#issuecomment-645547357 On Sun, Jun 14, 2020 at 10:13:23PM -0700, Daniel Ring wrote: > Hello Marco, > > I wasn't able to reproduce this issue in the current version of Rainloop. > Passwords were replaced by asterisks in the logs with the hide_passwords > option enabled (the default). Could you please check to see if package > version 1.14.0-1, currently in testing/unstable, resolves the issue for you? > > Fortunately the package version in stable is secure by default, as logging > is disabled in the default config file. The GitHub issue has unfortunately > been open for over a year with no comments from upstream, so they likely > have no plans to address it. > > -- Daniel > > On 6/10/2020 2:19 PM, herrn at sout.de (Marco Herrn) wrote: > > Package: rainloop > > Version: 1.12.1-2 > > Severity: important > > > > Dear Maintainer, > > > > When writing into a logfile, rainloop writes the passwords of all login > > attempts (successful or not) into the logfile in cleartext. > > > > Rainloop provides an option 'hide_passwords' in the application.ini that > > should prohibit that behaviour, which is by default set to 'On'. But > > apparently this doesn't have any effect. > > > > There is already an unresolved github issue about that topic: > > https://github.com/RainLoop/rainloop-webmail/issues/1872 > > > > Even though this issue doesn't affect the actual usability of rainloop, > > I set the severity to 'Important' as this is a security issue. > > > > > > -- System Information: > > Debian Release: 10.4 > > APT prefers stable-updates > > APT policy: (500, 'stable-updates'), (500, 'stable') > > Architecture: amd64 (x86_64) > > > > Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores) > > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > > LANGUAGE=en_US:en (charmap=UTF-8) > > Shell: /bin/sh linked to /usr/bin/dash > > Init: systemd (via /run/systemd/system) > > LSM: AppArmor: enabled > > > > Versions of packages rainloop depends on: > > ii apache2 [httpd] 2.4.38-3+deb10u3 > > ii ckeditor 4.11.1+dfsg-1 > > ii php-curl 2:7.3+69 > > ii php-fpm 2:7.3+69 > > ii php-nrk-predis 1.0.0-1 > > ii php-pclzip 2.8.2-4 > > ii php-seclib 1.0.14-1 > > ii php-xml 2:7.3+69 > > ii php7.3-curl [php-curl] 7.3.14-1~deb10u1 > > ii php7.3-fpm [php-fpm] 7.3.14-1~deb10u1 > > ii php7.3-json [php-json] 7.3.14-1~deb10u1 > > ii php7.3-xml [php-xml] 7.3.14-1~deb10u1 > > > > rainloop recommends no packages. > > > > Versions of packages rainloop suggests: > > pn php5-sqlite | php5-mysql | php5-pgsql <none> > > > > -- Configuration Files: > > /etc/rainloop/application.ini changed [not included] > > /etc/rainloop/rainloop.apache.conf changed [not included] > > > > -- no debconf information > > -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
