[Pkg-nagios-devel] Bug#290319: nagios-mysql: Leaks cleartext password in /var/log/messages

Mikael Magnusson Mikael Magnusson <mikma@users.sourceforge.net>, 290319@bugs.debian.org
Thu, 13 Jan 2005 16:24:29 +0100

Package: nagios-mysql
Version: 2:1.3-0+pre6
Severity: important

nagios-mysql leaks the database password in /var/log/messages if it can't
connect to the mysql server.

  nagios: Error: Could not connect to MySQL database 'nagios' on host '' using username 'nagios' and password 'xxxxxxxxx'.  Retention data will not be processed or saved!

The line above is logged in /var/log/messages and the password is in
cleartext. I think the password should be replaced with asterisks.

Mikael Magnusson

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (800, 'testing'), (700, 'unstable')
Architecture: i386 (i586)
Kernel: Linux 2.6.9-1-mulder
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages nagios-mysql depends on:
ii  libc6                  2.3.2.ds1-20      GNU C Library: Shared libraries an
ii  libgd2-xpm             2.0.33-1.1        GD Graphics Library version 2
ii  libjpeg62              6b-9.hem.za.org-1 The Independent JPEG Group's JPEG 
ii  libmysqlclient10       3.23.56-2         LGPL-licensed client library for M
ii  libpng12-0             1.2.8rel-1        PNG library - runtime
ii  nagios-common          2:1.3-0+pre6      A host/service/network monitoring 
ii  zlib1g                 1:1.2.2-3         compression library - runtime

-- debconf information:
* nagios/wwwsuid: true
* nagios/configapache: Apache