First Last Prev Next    This bug is not in your last search results.
Bug 31053 - Plain password in listener.log with debug 4
Plain password in listener.log with debug 4
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Listener (univention-directory-listener)
UCS 3.1
Other Linux
: P5 normal (vote)
: UCS 3.1-1-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-04-15 08:41 CEST by Tim Petersen
Modified: 2013-06-27 16:05 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Petersen univentionstaff 2013-04-15 08:41:41 CEST 
The listener.log logs the plain password of the binddn when using debug level 4 - as this is already hidden for another debug message, this should be adjusted:

"15.04.13 02:01:25.226  LISTENER    ( INFO    ) : setting data for all handlers: key=bindpw  value=<PLAIN PASSWORD>"
"15.04.13 02:01:25.226  LISTENER    ( INFO    ) : replication: listener passed key="bindpw" value="<HIDDEN>""
Comment 1 Philipp Hahn univentionstaff 2013-06-25 09:19:36 CEST 
(In reply to Tim Petersen from comment #0)
The first message is from the listener, while the second message is from the replication module.
The listener has been changed to hide "bindpw" as well:
# grep bindpw /var/log/univention/listener.log 
25.06.13 09:17:55.690  LISTENER    ( INFO    ) : setting data for all handlers: key=bindpw  value=<HIDDEN>
25.06.13 09:17:55.690  LISTENER    ( INFO    ) : pkgdb-watch: listener passed key="bindpw" value="<HIDDEN>"

UCS-3.2-0:
  svn41644
  univention-directory-listener_8.0.0-1.202.201306250908
  ChangeLog: svn41644
  \item The password is hidden from the logfile on high debug levels (\ucsBug{31053}).

UCS-3.1-1-errata:
  svn41646
  univention-directory-listener_7.0.9-1.203.201306250914
  2013-06-25-univention-directory-listener.yaml svn41647
Comment 2 Arvid Requate univentionstaff 2013-06-25 11:06:07 CEST 
Verified, changelog wording adjusted slightly.
Comment 3 Janek Walkenhorst univentionstaff 2013-06-27 16:05:19 CEST 
http://errata.univention.de/ucs/3.1/132.html
First Last Prev Next    This bug is not in your last search results.