The following issue has been RESOLVED. ====================================================================== http://www.dbmail.org/mantis/view.php?id=545 ====================================================================== Reported By: maenaka Assigned To: paul ====================================================================== Project: DBMail Issue ID: 545 Category: IMAP daemon Reproducibility: always Severity: minor Priority: normal Status: resolved target: Resolution: fixed Fixed in Version: 2.2.5 ====================================================================== Date Submitted: 20-Mar-07 02:08 CET Last Modified: 20-Mar-07 09:17 CET ====================================================================== Summary: Security hole Description: In dbmail_imap_session_handle_auth() in dbmail-imapsession.c, when auth_validate() returns -1, TRACE(TRACE_ERROR, "db-validate ...") is called with the unescaped raw IMAP password along with the IMAP username. ======================================================================
---------------------------------------------------------------------- paul - 20-Mar-07 09:17 ---------------------------------------------------------------------- Hardly a 'blocking' bug this, and hardly even a security issue given that the raw password is/was only logged in case of serious database trouble. Still, better err on the side of caution. Patch applied. Issue History Date Modified Username Field Change ====================================================================== 20-Mar-07 02:08 maenaka New Issue 20-Mar-07 02:08 maenaka File Added: patch-dbmail-imapsession.c 20-Mar-07 09:17 paul Note Added: 0001930 20-Mar-07 09:17 paul Assigned To => paul 20-Mar-07 09:17 paul Severity block => minor 20-Mar-07 09:17 paul Status new => resolved 20-Mar-07 09:17 paul Resolution open => fixed 20-Mar-07 09:17 paul Fixed in Version => 2.2.5 ====================================================================== _______________________________________________ Dbmail-dev mailing list Dbmail-dev@dbmail.org http://twister.fastxs.net/mailman/listinfo/dbmail-dev