Your message dated Fri, 30 Mar 2012 12:40:24 +0200
with message-id <20120330104024.GA12994@PC-Ale>
and subject line Re: Bug#624753: Security prb with apt with https transport
has caused the Debian Bug report #624753,
regarding errorbuffer message includes user/password
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
624753: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624753
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: apt-transport-https
Version: 0.8.10.3
Severity: important
When you use in source-list
deb http://user:password@hostname
host coudn't resolv if password or usename has @ character.
error in regex that select host ?
ex:
deb https://myname@mydomain:mypassword@hostname/debian squeeze main
give
Couldn't resolve host 'mydomaine:mypassword@hostname
bst regads.
-- System Information:
Debian Release: 6.0.1
APT prefers stable
APT policy: (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt-transport-https depends on:
ii apt [libapt-pkg4.10] 0.8.10.3 Advanced front-end for dpkg
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcurl3-gnutls 7.21.0-1 Multi-protocol file transfer libra
ii libgcc1 1:4.4.5-8 GCC support library
ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3
apt-transport-https recommends no packages.
apt-transport-https suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Thu, May 05, 2011 at 02:53:57PM +0200, David Kalnischkies wrote:
> in case of error, apt-transport-https prints the error message gathered
> with CURL_ERRORBUFFER.
> If we have an unresolvable host the message in stable
> (with libcurl3-gnutls 7.21.0) is as follows:
> Couldn't resolve host 'example.org:[email protected]'
>
> As you can see here, it includes username and password.
> Even further, the username is garbled as the username is in reality:
> [email protected] -- so the 'me@' is cut off.
>
> (It's not really a security issue in my eyes, as the user who can see this
> message can easily also look up the files himself, but on the other
> hand it is not really useful to include here - especially not broken.)
AFAICS this is fixed in unstable (and I agree on the "not really a security
issue"). Closing.
Cheers
--
perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
signature.asc
Description: Digital signature
--- End Message ---
