On Thu, Jun 15, 2023 at 10:48:57PM +0200, Christian Kastner wrote: > > Package: debci > Version: 3.6 > Severity: serious > Tags: security > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > Hi, > > When using authentication in AMQP connections, the username and password > supplied in the --url option to amqp-consume resp. amqp-publish are > exposed in the proces list, see #1037322: > > $ pgrep -a ampq-consume > 62287 amqp-consume --url amqp://user:pass@192.168.0.1 --queue=myqueue > > A patch has been accepted upstream to read the username and password > from a file. I assume this will make its way into ampq-tools soon. > > Unless I'm mistaken, debci will need to be updated for this, e.g. by > adding a debci_amqp_pwfile config option + NEWS entry suggesting that > people migrate to this new option. I'd be happy to file an MR for this, > once ampq-tools has been fixed.
Note that the variable where you inserted a username and password is calle debci_amqp_server, and was never supposed to be used for putting a password in plain text. For the c.d.n deployment we use SSL client certificates for authentication, and that's why the variables debci_amqp_cacert, debci_amqp_cert, debci_amqp_key are there. IMO that is no different from any other program that takes a url as a command line parameter: you can pass a URL containing a username and password, but then that's on you.
signature.asc
Description: PGP signature