Univention Bugzilla – Bug 56354
various passwords in process list visible
Last modified: 2023-11-06 15:19:07 CET
base/univention-licence/tools/univention-license-import.in:err=$(ldapadd -x -h "$ldap_master" -p "$ldap_master_port" -ZZ -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -f "$file" 2>&1) base/univention-licence/tools/univention-license-import.in: ldapsearch -xLLL -h "$ldap_master" -p "$ldap_master_port" -ZZ -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" cn=admin -b "cn=license,cn=univention,$ldap_base" | ldapsea base/univention-licence/tools/univention-license-import.in: ldapdelete -x -h "$ldap_master" -p "$ldap_master_port" -ZZ -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" "cn=admin,cn=license,cn=univention,$ldap_base" base/univention-licence/tools/univention-license-import.in: ldapadd -x -h "$ldap_master" -p "$ldap_master_port" -ZZ -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -f "$file" doc/developer-reference/listener/details.rst: -w "$(cat /etc/machine.secret)" management/univention-directory-listener/debian/tests/filter: ldapadd -H "ldap://$FQDN:$PORT" -ZZ -x -D "cn=admin,$BASE" -w "$SECRET" <<__LDIF__ management/univention-directory-listener/debian/tests/filter: ldapsearch -xLLLo ldif-wrap=no -H "ldap://$FQDN:$PORT" -b "cn=test${n:-},$BASE" -s base -ZZ -D "cn=admin,$BASE" -w "$SECRET" 1.1 management/univention-directory-listener/debian/tests/filter: -x -D "cn=admin,$BASE" -w "$SECRET" management/univention-directory-listener/debian/tests/filter: -x -D "cn=admin,$BASE" -w "$SECRET" & management/univention-directory-listener/debian/tests/filter: ldapsearch -xLLLo ldif-wrap=no -H "ldap://$FQDN:7389" -b "cn=test${n:-},$BASE" -s base -ZZ -D "cn=update,$BASE" -w "$secret" 1.1 management/univention-directory-listener/doc.34355/common.sh: /usr/bin/ldapsearch -h "$BINDHOST" -p "$BINDPORT" -x -D "$BINDDN" -w "$BINDPW" -LLL -o ldif-wrap=no "$@" management/univention-directory-listener/doc.34355/common.sh: /usr/bin/ldapadd -x -h "$BINDHOST" -p "$BINDPORT" -D "$BINDDN" -w "$BINDPW" "$@" management/univention-directory-listener/doc.34355/common.sh: /usr/bin/ldapmodify -x -h "$BINDHOST" -p "$BINDPORT" -D "$BINDDN" -w "$BINDPW" "$@" management/univention-directory-listener/doc.34355/common.sh: /usr/bin/ldapmodrdn -x -h "$BINDHOST" -p "$BINDPORT" -D "$BINDDN" -w "$BINDPW" "$@" management/univention-directory-listener/doc.34355/common.sh: /usr/bin/ldapdelete -x -h "$BINDHOST" -p "$BINDPORT" -D "$BINDDN" -w "$BINDPW" "$@" management/univention-directory-manager-modules/scripts/fix_primary_group_membership: ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" <<EOF management/univention-directory-manager-modules/scripts/fix_primary_group_membership: ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" <<EOF management/univention-directory-manager-modules/scripts/fix_primary_group_membership: ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" <<EOF management/univention-directory-manager-modules/scripts/fix_primary_group_membership: ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" <<EOF management/univention-directory-replication/univention-directory-replication-resync:if ldapmodify -x -w "$(cut -d\" -f2 /etc/ldap/rootpw.conf)" -D "cn=update,${ldap_base}" -c -S "${faileddns}" -f "$1" >>"$LOG" 2>&1 management/univention-ldap/test/listner-notifier-test: ldapmodrdn -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" "$dn" "$rdn=Object$string1" management/univention-ldap/test/listner-notifier-test: ldapmodrdn -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -r "$rdn=Object$string1,cn=$cn,$ldap_base" "$rdn=Objectxxx$string2" management/univention-ldap/test/listner-notifier-test: cmd="ldapmodify -x -D 'cn=update,$ldap_base' -w '$rootpw' -f backup.ldif" management/univention-ldap/univention-backup2master: ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -f "$temp_file" management/univention-ldap/univention-backup2master:ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -f "$temp_file" management/univention-ldap/univention-backup2master:ldapdelete -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" "krb5PrincipalName=ldap/${old_ldap_master}@${kerberos_realm},cn=kerberos,${ldap_base}" monitoring/univention-nagios/usr/lib/nagios/plugins/check_univention_joinstatus:ldapsearch -x -h "$LDAPSERVER" -p "$LDAPPORT" -D "$ldap_hostdn" -w $(cat /etc/machine.secret) -b "$ldap_base" -s base 2> /dev/null > /dev/null monitoring/univention-nagios/usr/lib/nagios/plugins/check_univention_joinstatus:ldapsearch -x -ZZ -h "$LDAPSERVER" -p "$LDAPPORT" -D "$ldap_hostdn" -w $(cat /etc/machine.secret) -b "$ldap_base" -s base 2> /dev/null > /dev/null monitoring/univention-nagios/usr/lib/nagios/plugins/check_univention_joinstatus:ldapsearch -x -ZZ -D "$ldap_hostdn" -w $(cat /etc/machine.secret) -b "$ldap_base" -s base 2> /dev/null > /dev/null packaging/ucslint/testframework/0017-5-6-7-8-9/shell.sh:ldapsearch -x -LLLo ldif-wrap=no -U "$(ucr get ldap/hostdn)" -w "$(cat /etc/machine.secret)" -b "$(ucr get ldap/base)" -s base 1.1 || die services/univention-samba/26univention-samba.inst: smbpasswd -w "$(< /etc/machine.secret)" services/univention-samba/26univention-samba.inst: smbpasswd -w "$(< /etc/ldap.secret)" services/univention-samba4/debian/univention-samba4.postinst: s_res="$(univention-ldapsearch -s base -h "$hostname.$domainname" -p 389 -w "$machine_secret" -D "$dn" dn | ldapsearch-wrapper | sed -ne 's|^dn: ||p') test/product-tests/samba/utils.sh: univention-ldapsearch -D "$binddn" -w "$password" "uid=$username" And of course many ones in tests scrips.
I already pushed the unit test changes to 5.0-4 after checking that the pipeline succeeds still building the packages: univention-ldap (16.0.13-4) ed000c8b5887 | test(ldap): do not leak password in process list univention-directory-listener (14.0.8-3) 65e04428595e | test(UDL): do not leak password in process list ucslint (1.0.0-1) 0a39a7883d25 | test(ucslint): do not leak password in process list ucs-test (10.0.15-14) 9e26f096510c | test(ucs-test): do not leak password in process list Leftovers in the MR are only: d0567d7c2f fix(samba): do not leak password in process list services/univention-samba/26univention-samba.inst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) → Bug #56332 6a51cdd346 fix(samba4): do not leak password in process list services/univention-samba4/debian/univention-samba4.postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) dd5af96055 fix(nagios): do not leak password in process list monitoring/univention-nagios/usr/lib/nagios/plugins/check_univention_joinstatus | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) 86ed0b80ce fix(backup2master): do not leak password in process list management/univention-ldap/univention-backup2master | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) → Bug #56333 30535f4a52 fix(directory-replication): do not leak password in process list management/univention-directory-replication/univention-directory-replication-resync | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) 0c520a9a9e fix(udm): do not leak password in process list management/univention-directory-manager-modules/scripts/fix_primary_group_membership | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) 6fcd8130b7 fix(directory-listener-verify): do not leak password in process list doc/developer-reference/listener/details.rst | 2 +- management/univention-directory-listener/src/verify.c | 33 ++++++++++++++++++++++++++++++++- 2 files changed, 33 insertions(+), 2 deletions(-) d3ef349c69 fix(license-import): do not leak password in process list base/univention-licence/tools/univention-license-import.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
All occurrences which I found (the above listed) have been replaced. univention-samba4.yaml 7f93dea7b438 | chore(advisory): mark advisory as security issue 5a7228f9d13f | fix(samba4): do not leak password in process list univention-samba4 (9.0.14-4) 5a7228f9d13f | fix(samba4): do not leak password in process list univention-samba.yaml 7f93dea7b438 | chore(advisory): mark advisory as security issue 49e9b678a30c | fix(samba): do not leak password in process list univention-samba (14.0.9-2) 49e9b678a30c | fix(samba): do not leak password in process list univention-nagios.yaml 7f93dea7b438 | chore(advisory): mark advisory as security issue bceed4efd741 | fix(nagios): do not leak password in process list univention-nagios (13.0.5-2) bceed4efd741 | fix(nagios): do not leak password in process list univention-licence.yaml 7f93dea7b438 | chore(advisory): mark advisory as security issue 7870e16ae325 | fix(license-import): do not leak password in process list univention-licence (11.0.0-2) 7870e16ae325 | fix(license-import): do not leak password in process list univention-ldap.yaml 7f93dea7b438 | chore(advisory): mark advisory as security issue e9e4a4871fcd | fix(backup2master): do not leak password in process list univention-ldap (16.0.13-5) e9e4a4871fcd | fix(backup2master): do not leak password in process list univention-ldap (16.0.13-4) ed000c8b5887 | test(ldap): do not leak password in process list univention-directory-replication.yaml 7f93dea7b438 | chore(advisory): mark advisory as security issue c9b55211c7ea | fix(directory-replication): do not leak password in process list univention-directory-replication (13.0.7-3) c9b55211c7ea | fix(directory-replication): do not leak password in process list univention-directory-manager-modules.yaml 7f93dea7b438 | chore(advisory): mark advisory as security issue e5f0a1a621dc | fix(udm): do not leak password in process list univention-directory-manager-modules (15.0.24-22) e5f0a1a621dc | fix(udm): do not leak password in process list univention-directory-listener.yaml 7f93dea7b438 | chore(advisory): mark advisory as security issue 22c68692a0f1 | fix(directory-listener-verify): do not leak password in process list univention-directory-listener (14.0.8-7) 22c68692a0f1 | fix(directory-listener-verify): do not leak password in process list univention-directory-listener (14.0.8-3) 65e04428595e | test(UDL): do not leak password in process list
Verified: * Code review * Package update * Advisories
<https://errata.software-univention.de/#/?erratum=5.0x866> <https://errata.software-univention.de/#/?erratum=5.0x867> <https://errata.software-univention.de/#/?erratum=5.0x868> <https://errata.software-univention.de/#/?erratum=5.0x869> <https://errata.software-univention.de/#/?erratum=5.0x870> <https://errata.software-univention.de/#/?erratum=5.0x871>