On Tue 3.Feb'09 at 22:37:59 -0500, Isaac Vetter wrote:
The docs for 'LogStackTrace' have been updated as follows. How do
folks feel about the new notice?
If set then logging will include stack
traces for messages with level equal or greater than
specified.
NOTICE: Stack traces
On Thu, Feb 5, 2009 at 3:47 PM, Jesse Vincent je...@bestpractical.com wrote:
On Tue 3.Feb'09 at 22:37:59 -0500, Isaac Vetter wrote:
The docs for 'LogStackTrace' have been updated as follows. How do
folks feel about the new notice?
If set then logging will include stack
traces for
Isaac Vetter wrote:
The docs for 'LogStackTrace' have been updated as follows. How do
folks feel about the new notice?
If set then logging will include stack
traces for messages with level equal or greater than
specified.
NOTICE: Stack traces include parameters that functions or methods
were
On Wed, Feb 04, 2009 at 08:06:34AM +, Matthew Seaman wrote:
One idea I've seen and quite like is what OpenLDAP does. Passwords and
other security tokens are Base64 encoded in all output[*]. Sure it's a
trivial encoding that anyone could decode in moments, but it prevents
people
On Mon, Feb 02, 2009 at 06:16:38PM -0500, Jesse Vincent wrote:
Thankfully, at first glance, it looks like the issue you've run into
isn't particularly dangerous. RT ships with stack trace logging
disabled and _generally_ the folks who have access to application logs
are also the folks who
Dave Sherohman schrieb:
I can't say that I find the latter point particularly relevant, as many
users are in the habit of re-using passwords across multiple sites.
If I, as an RT admin, have access to my RT users' passwords, then that
may not present any risk to the security of my RT
Well, the point is that it is wrong for anyone (even the admin) to know the
passwords of any user in the clear just by looking at the log files.
(How someone can obtain the passwords is a different matter.)
On Tue, Feb 3, 2009 at 7:55 AM, Andreas Heinlein aheinl...@gmx.com wrote:
Dave Sherohman
On Tue, Feb 03, 2009 at 01:55:41PM +0100, Andreas Heinlein wrote:
Dave Sherohman schrieb:
I can't say that I find the latter point particularly relevant, as many
users are in the habit of re-using passwords across multiple sites.
If I, as an RT admin, have access to my RT users'
Akash wrote:
Well, the point is that it is wrong for anyone (even the admin) to know the
passwords of any user in the clear just by looking at the log files.
(How someone can obtain the passwords is a different matter.)
I disagree. On rare occasions, characters *within* a password can cause
I would agree with Jesse input that the first email should have gone to
best practical and not a mailing list, I would also agree with Jesse and
a couple others that this is not a security risk ..
The fact that a sys admin can see a users password and then use it on
bank accounts or anything
Dave Sherohman schrieb:
On Tue, Feb 03, 2009 at 01:55:41PM +0100, Andreas Heinlein wrote:
Dave Sherohman schrieb:
I can't say that I find the latter point particularly relevant, as many
users are in the habit of re-using passwords across multiple sites.
If I, as an RT admin, have
On Tue, Feb 03, 2009 at 04:25:04PM +0100, Andreas Heinlein wrote:
Dave Sherohman schrieb:
Fair point, but I still see a significant difference between turn on
this switch and we'll hand you the passwords in a log file and the
various methods you mention, any of which would require some
On Tue 3.Feb'09 at 4:53:16 -0600, Dave Sherohman wrote:
On Mon, Feb 02, 2009 at 06:16:38PM -0500, Jesse Vincent wrote:
Thankfully, at first glance, it looks like the issue you've run into
isn't particularly dangerous. RT ships with stack trace logging
disabled and _generally_ the folks
The docs for 'LogStackTrace' have been updated as follows. How do
folks feel about the new notice?
If set then logging will include stack
traces for messages with level equal or greater than
specified.
NOTICE: Stack traces include parameters that functions or methods
were called with. It
Hi all,
When I enabled logging of stack traces, the user passwords are being written
in cleartext in the log files!
I enabled stack tracing by adding the the following line in
RT_SiteConfig.pm:
Set($LogStackTraces, 4);
Can somebody please fix this serious error so that passwords are encrypted?
On Feb 2, 2009, at 2:26 PM, Akash wrote:
Also, if a 3.8.2 port is available, is it stable enough to update my
3.8.1
version?
The 3.8.2 port update is here: http://www.freebsd.org/cgi/query-pr.cgi?pr=131167
And we've been running it for a week with no problems. The change
from 3.8.1 to
Akash,
Just as a general point of etiquette, it's customary to notify vendors
of security related issues privately before publicly announcing them.
Posting the details of security-related issues to a public mailinglist
without giving the folks who make a package to address a potential
17 matches
Mail list logo
