[debian-mysql] Bug#513262: Bug#513262: mysql-server-5.0: Leaves password in debconf database
Norbert Tretkowski
norbert at tretkowski.de
Tue Jan 27 19:16:56 UTC 2009
Am Donnerstag, den 11.12.2008, 05:25 +0100 schrieb Yohann Lepage:
> If you look at /var/cache/debconf/passwords.dat, you'll find a copy of
> the password in there (just root_password_again). While the file is
> only readable by root, this is an unnecessary way to leak the
> password.
>
> Best practice for password prompting with debconf is to call db_reset
> to clear the password out of the database as soon as possible after
> you use it.
>
> This bug was probably introduced by the patch #471887.
Not sure why I got this mail today, about 1 1/2 months after you sent
it, but you're right, this problem was introduced by the patch from
#471887.
I added a fix to our svn repository and will upload it tomorrow!
Thanks, Norbert
More information about the pkg-mysql-maint
mailing list