Bug#599712: libapache-authenhook-perl: leaks passwords to the logs
Ansgar Burchardt
ansgar at 43-1.org
Wed Oct 13 21:04:04 UTC 2010
Moritz Muehlenhoff <jmm at inutil.org> writes:
> On Wed, Oct 13, 2010 at 04:30:26PM +0200, Ansgar Burchardt wrote:
>> libapache-authenhook-perl logs passwords in Apache's error.log if the
>> log level is >= info[1]. I prepared an update for Lenny including the
>> same patch used for testing/unstable (already unblocked[2] as well).
>>
>> Should this go through stable-security or does the security team see
>> this as a minor issue that should be fixed in the next point release?
>> In the former case, shall I upload a package based on the attached patch
>> to stable-security?
>
> Since the impact is minor, please fix it through a point update.
>
> I'll request a CVE ID for it and keep you CCed, maybe you can
> hold off the upload for a few days until it's available? (The
> next point update will take a few weeks anyway)
Sure. I'll prepare an upload and contact the stable release team once I
get the CVE ID.
Regards,
Ansgar
More information about the pkg-perl-maintainers
mailing list