Hi,
libapache-authenhook-perl logs passwords in Apache's error.log if the
log level is >= info[1]. I prepared an update for Lenny including the
same patch used for testing/unstable (already unblocked[2] as well).
Should this go through stable-security or does the security team see
this as a minor issue that should be fixed in the next point release?
In the former case, shall I upload a package based on the attached patch
to stable-security?
Regards,
Ansgar
[1] <http://bugs.debian.org/599712>
[2] <http://bugs.debian.org/599779>
Index: debian/changelog
===================================================================
--- debian/changelog (revision 63673)
+++ debian/changelog (working copy)
@@ -1,3 +1,9 @@
+libapache-authenhook-perl (2.00-04+pristine-1+lenny1) stable-security; urgency=high
+
+ * Remove passwords from log messages. (Closes: #599712)
+
+ -- Ansgar Burchardt <ans...@debian.org> Wed, 13 Oct 2010 15:36:05 +0200
+
libapache-authenhook-perl (2.00-04+pristine-1) unstable; urgency=low
[ gregor herrmann ]
Index: AuthenHook.xs
===================================================================
--- AuthenHook.xs (revision 63673)
+++ AuthenHook.xs (working copy)
@@ -180,8 +180,8 @@
case OK:
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
- "Apache::AuthenHook - user '%s', password '%s' verified",
- user, password);
+ "Apache::AuthenHook - user '%s' verified",
+ user);
status = AUTH_GRANTED;
break;
@@ -196,8 +196,8 @@
default:
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
- "Apache::AuthenHook - user '%s', password '%s' denied",
- user, password);
+ "Apache::AuthenHook - user '%s' denied",
+ user);
status = AUTH_DENIED;
};
