Package: debci Version: 3.6 Severity: serious Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Hi, When using authentication in AMQP connections, the username and password supplied in the --url option to amqp-consume resp. amqp-publish are exposed in the proces list, see #1037322: $ pgrep -a ampq-consume 62287 amqp-consume --url amqp://user:pass@192.168.0.1 --queue=myqueue A patch has been accepted upstream to read the username and password from a file. I assume this will make its way into ampq-tools soon. Unless I'm mistaken, debci will need to be updated for this, e.g. by adding a debci_amqp_pwfile config option + NEWS entry suggesting that people migrate to this new option. I'd be happy to file an MR for this, once ampq-tools has been fixed. Best, Christian -- System Information: Debian Release: 11.7 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-0.deb11.7-amd64 (SMP w/24 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages debci depends on: ii adduser 3.118 pn amqp-tools <none> ii curl 7.88.1-7~bpo11+2 ii dctrl-tools 2.24-3+b1 ii debian-archive-keyring 2021.1.1+deb11u1 ii debootstrap 1.0.128+nmu2~bpo11+1 ii devscripts 2.22.2~bpo11+1 pn distro-info <none> ii fonts-font-awesome 5.0.10+really4.7.0~dfsg-4.1 ii jq 1.6-2.1 ii libjs-bootstrap 3.4.1+dfsg-2 ii libjs-jquery 3.5.1+dfsg+~3.5.5-7 pn libjs-jquery-flot <none> pn moreutils <none> ii netcat-openbsd 1.217-3 pn parallel <none> ii patchutils 0.4.2-1 pn retry <none> ii rsync 3.2.7-1~bpo11+1 ii ruby 1:2.7+2 pn ruby-activerecord <none> pn ruby-bunny <none> pn ruby-erubi <none> pn ruby-kaminari-activerecord <none> pn ruby-pg <none> pn ruby-sinatra <none> pn ruby-sinatra-contrib <none> pn ruby-sqlite3 <none> pn ruby-thor <none> pn sudo <none> Versions of packages debci recommends: ii systemd-timesyncd [time-daemon] 252.5-2~bpo11+1 Versions of packages debci suggests: pn apt-cacher-ng <none>