[Pkg-javascript-devel] Bug#962629: Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile

Daniel Ring dring at wolfishly.me
Mon Jun 15 06:13:23 BST 2020 

Hello Marco,

I wasn't able to reproduce this issue in the current version of 
Rainloop. Passwords were replaced by asterisks in the logs with the 
hide_passwords option enabled (the default). Could you please check to 
see if package version 1.14.0-1, currently in testing/unstable, resolves 
the issue for you?

Fortunately the package version in stable is secure by default, as 
logging is disabled in the default config file. The GitHub issue has 
unfortunately been open for over a year with no comments from upstream, 
so they likely have no plans to address it.

-- Daniel

On 6/10/2020 2:19 PM, herrn at sout.de (Marco Herrn) wrote:
> Package: rainloop
> Version: 1.12.1-2
> Severity: important
> 
> Dear Maintainer,
> 
> When writing into a logfile, rainloop writes the passwords of all login
> attempts (successful or not) into the logfile in cleartext.
> 
> Rainloop provides an option 'hide_passwords' in the application.ini that
> should prohibit that behaviour, which is by default set to 'On'. But
> apparently this doesn't have any effect.
> 
> There is already an unresolved github issue about that topic:
> https://github.com/RainLoop/rainloop-webmail/issues/1872
> 
> Even though this issue doesn't affect the actual usability of rainloop,
> I set the severity to 'Important' as this is a security issue.
> 
> 
> -- System Information:
> Debian Release: 10.4
>    APT prefers stable-updates
>    APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages rainloop depends on:
> ii  apache2 [httpd]         2.4.38-3+deb10u3
> ii  ckeditor                4.11.1+dfsg-1
> ii  php-curl                2:7.3+69
> ii  php-fpm                 2:7.3+69
> ii  php-nrk-predis          1.0.0-1
> ii  php-pclzip              2.8.2-4
> ii  php-seclib              1.0.14-1
> ii  php-xml                 2:7.3+69
> ii  php7.3-curl [php-curl]  7.3.14-1~deb10u1
> ii  php7.3-fpm [php-fpm]    7.3.14-1~deb10u1
> ii  php7.3-json [php-json]  7.3.14-1~deb10u1
> ii  php7.3-xml [php-xml]    7.3.14-1~deb10u1
> 
> rainloop recommends no packages.
> 
> Versions of packages rainloop suggests:
> pn  php5-sqlite | php5-mysql | php5-pgsql  <none>
> 
> -- Configuration Files:
> /etc/rainloop/application.ini changed [not included]
> /etc/rainloop/rainloop.apache.conf changed [not included]
> 
> -- no debconf information
>

More information about the Pkg-javascript-devel mailing list