[Pkg-javascript-devel] Bug#962629: Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile
herrn at sout.de
herrn at sout.de
Wed Jun 17 22:27:33 BST 2020
Hello Daniel,
I don't have the possibility to try out a newer version of rainloop, but
according to a recent comment on the github issue [1] this is really fixed
in version 1.14.0 of rainloop. So I assume that only applies to the current
stable release.
Nevertheless I see this bug as grave enough that in my opinion this has to
be mentioned prominently to users of the package or even better be fixed in
a downstream patch (if the actual cause of the problem is known).
Best regards
Marco
[1] https://github.com/RainLoop/rainloop-webmail/issues/1872#issuecomment-645547357
On Sun, Jun 14, 2020 at 10:13:23PM -0700, Daniel Ring wrote:
> Hello Marco,
>
> I wasn't able to reproduce this issue in the current version of Rainloop.
> Passwords were replaced by asterisks in the logs with the hide_passwords
> option enabled (the default). Could you please check to see if package
> version 1.14.0-1, currently in testing/unstable, resolves the issue for you?
>
> Fortunately the package version in stable is secure by default, as logging
> is disabled in the default config file. The GitHub issue has unfortunately
> been open for over a year with no comments from upstream, so they likely
> have no plans to address it.
>
> -- Daniel
>
> On 6/10/2020 2:19 PM, herrn at sout.de (Marco Herrn) wrote:
> > Package: rainloop
> > Version: 1.12.1-2
> > Severity: important
> >
> > Dear Maintainer,
> >
> > When writing into a logfile, rainloop writes the passwords of all login
> > attempts (successful or not) into the logfile in cleartext.
> >
> > Rainloop provides an option 'hide_passwords' in the application.ini that
> > should prohibit that behaviour, which is by default set to 'On'. But
> > apparently this doesn't have any effect.
> >
> > There is already an unresolved github issue about that topic:
> > https://github.com/RainLoop/rainloop-webmail/issues/1872
> >
> > Even though this issue doesn't affect the actual usability of rainloop,
> > I set the severity to 'Important' as this is a security issue.
> >
> >
> > -- System Information:
> > Debian Release: 10.4
> > APT prefers stable-updates
> > APT policy: (500, 'stable-updates'), (500, 'stable')
> > Architecture: amd64 (x86_64)
> >
> > Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
> > Shell: /bin/sh linked to /usr/bin/dash
> > Init: systemd (via /run/systemd/system)
> > LSM: AppArmor: enabled
> >
> > Versions of packages rainloop depends on:
> > ii apache2 [httpd] 2.4.38-3+deb10u3
> > ii ckeditor 4.11.1+dfsg-1
> > ii php-curl 2:7.3+69
> > ii php-fpm 2:7.3+69
> > ii php-nrk-predis 1.0.0-1
> > ii php-pclzip 2.8.2-4
> > ii php-seclib 1.0.14-1
> > ii php-xml 2:7.3+69
> > ii php7.3-curl [php-curl] 7.3.14-1~deb10u1
> > ii php7.3-fpm [php-fpm] 7.3.14-1~deb10u1
> > ii php7.3-json [php-json] 7.3.14-1~deb10u1
> > ii php7.3-xml [php-xml] 7.3.14-1~deb10u1
> >
> > rainloop recommends no packages.
> >
> > Versions of packages rainloop suggests:
> > pn php5-sqlite | php5-mysql | php5-pgsql <none>
> >
> > -- Configuration Files:
> > /etc/rainloop/application.ini changed [not included]
> > /etc/rainloop/rainloop.apache.conf changed [not included]
> >
> > -- no debconf information
> >
More information about the Pkg-javascript-devel
mailing list