[Pkg-javascript-devel] Bug#962629: Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile

herrn at sout.de herrn at sout.de
Wed Jun 17 22:27:33 BST 2020


Hello Daniel,

I don't have the possibility to try out a newer version of rainloop, but
according to a recent comment on the github issue [1] this is really fixed
in version 1.14.0 of rainloop. So I assume that only applies to the current
stable release.

Nevertheless I see this bug as grave enough that in my opinion this has to
be mentioned prominently to users of the package or even better be fixed in
a downstream patch (if the actual cause of the problem is known).

Best regards
Marco


[1] https://github.com/RainLoop/rainloop-webmail/issues/1872#issuecomment-645547357

On Sun, Jun 14, 2020 at 10:13:23PM -0700, Daniel Ring wrote:
> Hello Marco,
> 
> I wasn't able to reproduce this issue in the current version of Rainloop.
> Passwords were replaced by asterisks in the logs with the hide_passwords
> option enabled (the default). Could you please check to see if package
> version 1.14.0-1, currently in testing/unstable, resolves the issue for you?
> 
> Fortunately the package version in stable is secure by default, as logging
> is disabled in the default config file. The GitHub issue has unfortunately
> been open for over a year with no comments from upstream, so they likely
> have no plans to address it.
> 
> -- Daniel
> 
> On 6/10/2020 2:19 PM, herrn at sout.de (Marco Herrn) wrote:
> > Package: rainloop
> > Version: 1.12.1-2
> > Severity: important
> > 
> > Dear Maintainer,
> > 
> > When writing into a logfile, rainloop writes the passwords of all login
> > attempts (successful or not) into the logfile in cleartext.
> > 
> > Rainloop provides an option 'hide_passwords' in the application.ini that
> > should prohibit that behaviour, which is by default set to 'On'. But
> > apparently this doesn't have any effect.
> > 
> > There is already an unresolved github issue about that topic:
> > https://github.com/RainLoop/rainloop-webmail/issues/1872
> > 
> > Even though this issue doesn't affect the actual usability of rainloop,
> > I set the severity to 'Important' as this is a security issue.
> > 
> > 
> > -- System Information:
> > Debian Release: 10.4
> >    APT prefers stable-updates
> >    APT policy: (500, 'stable-updates'), (500, 'stable')
> > Architecture: amd64 (x86_64)
> > 
> > Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
> > Shell: /bin/sh linked to /usr/bin/dash
> > Init: systemd (via /run/systemd/system)
> > LSM: AppArmor: enabled
> > 
> > Versions of packages rainloop depends on:
> > ii  apache2 [httpd]         2.4.38-3+deb10u3
> > ii  ckeditor                4.11.1+dfsg-1
> > ii  php-curl                2:7.3+69
> > ii  php-fpm                 2:7.3+69
> > ii  php-nrk-predis          1.0.0-1
> > ii  php-pclzip              2.8.2-4
> > ii  php-seclib              1.0.14-1
> > ii  php-xml                 2:7.3+69
> > ii  php7.3-curl [php-curl]  7.3.14-1~deb10u1
> > ii  php7.3-fpm [php-fpm]    7.3.14-1~deb10u1
> > ii  php7.3-json [php-json]  7.3.14-1~deb10u1
> > ii  php7.3-xml [php-xml]    7.3.14-1~deb10u1
> > 
> > rainloop recommends no packages.
> > 
> > Versions of packages rainloop suggests:
> > pn  php5-sqlite | php5-mysql | php5-pgsql  <none>
> > 
> > -- Configuration Files:
> > /etc/rainloop/application.ini changed [not included]
> > /etc/rainloop/rainloop.apache.conf changed [not included]
> > 
> > -- no debconf information
> > 



More information about the Pkg-javascript-devel mailing list