[Pkg-nagios-devel] Bug#290319: marked as done (nagios-mysql: Leaks cleartext password in /var/log/messages)

Debian Bug Tracking System owner@bugs.debian.org
Tue, 18 Jan 2005 22:03:23 -0800


Your message dated Wed, 19 Jan 2005 00:47:13 -0500
with message-id <E1Cr8gT-0003si-00@newraff.debian.org>
and subject line Bug#290319: fixed in nagios 2:1.3-cvs.20050116-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Jan 2005 15:24:35 +0000
>From mikaelmagnusson@tjohoo.se Thu Jan 13 07:24:35 2005
Return-path: <mikaelmagnusson@tjohoo.se>
Received: from (mulder.hem.za.org) [84.217.28.150] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Cp6pv-0001L9-00; Thu, 13 Jan 2005 07:24:35 -0800
Received: from mikael by mulder.hem.za.org with local (Exim 4.34)
	id 1Cp6pp-0005w5-Qd; Thu, 13 Jan 2005 16:24:29 +0100
Date: Thu, 13 Jan 2005 16:24:29 +0100
From: Mikael Magnusson <mikma@users.sourceforge.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nagios-mysql: Leaks cleartext password in /var/log/messages
Message-ID: <20050113152429.GA22763@hem.za.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 3.2
User-Agent: Mutt/1.5.6+20040907i
Sender: Mikael Magnusson <mikaelmagnusson@tjohoo.se>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: nagios-mysql
Version: 2:1.3-0+pre6
Severity: important


nagios-mysql leaks the database password in /var/log/messages if it can't
connect to the mysql server.

  nagios: Error: Could not connect to MySQL database 'nagios' on host '' using username 'nagios' and password 'xxxxxxxxx'.  Retention data will not be processed or saved!

The line above is logged in /var/log/messages and the password is in
cleartext. I think the password should be replaced with asterisks.

Regards,
Mikael Magnusson


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (800, 'testing'), (700, 'unstable')
Architecture: i386 (i586)
Kernel: Linux 2.6.9-1-mulder
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages nagios-mysql depends on:
ii  libc6                  2.3.2.ds1-20      GNU C Library: Shared libraries an
ii  libgd2-xpm             2.0.33-1.1        GD Graphics Library version 2
ii  libjpeg62              6b-9.hem.za.org-1 The Independent JPEG Group's JPEG 
ii  libmysqlclient10       3.23.56-2         LGPL-licensed client library for M
ii  libpng12-0             1.2.8rel-1        PNG library - runtime
ii  nagios-common          2:1.3-0+pre6      A host/service/network monitoring 
ii  zlib1g                 1:1.2.2-3         compression library - runtime

-- debconf information:
  nagios/warnmovedcommands:
  nagios/warncoords:
* nagios/wwwsuid: true
  nagios/newapachecfg:
  nagios/upgradefromnetsaint:
* nagios/configapache: Apache
  nagios/warnupgrade_5_6:

---------------------------------------
Received: (at 290319-close) by bugs.debian.org; 19 Jan 2005 05:55:00 +0000
>From katie@ftp-master.debian.org Tue Jan 18 21:55:00 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Cr8o0-0005rL-00; Tue, 18 Jan 2005 21:55:00 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1Cr8gT-0003si-00; Wed, 19 Jan 2005 00:47:13 -0500
From: Sean Finney <seanius@debian.org>
To: 290319-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#290319: fixed in nagios 2:1.3-cvs.20050116-1
Message-Id: <E1Cr8gT-0003si-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Wed, 19 Jan 2005 00:47:13 -0500
Delivered-To: 290319-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 9

Source: nagios
Source-Version: 2:1.3-cvs.20050116-1

We believe that the bug you reported is fixed in the latest version of
nagios, which is due to be installed in the Debian FTP archive:

nagios-common_1.3-cvs.20050116-1_all.deb
  to pool/main/n/nagios/nagios-common_1.3-cvs.20050116-1_all.deb
nagios-mysql_1.3-cvs.20050116-1_i386.deb
  to pool/main/n/nagios/nagios-mysql_1.3-cvs.20050116-1_i386.deb
nagios-pgsql_1.3-cvs.20050116-1_i386.deb
  to pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050116-1_i386.deb
nagios-text_1.3-cvs.20050116-1_i386.deb
  to pool/main/n/nagios/nagios-text_1.3-cvs.20050116-1_i386.deb
nagios_1.3-cvs.20050116-1.diff.gz
  to pool/main/n/nagios/nagios_1.3-cvs.20050116-1.diff.gz
nagios_1.3-cvs.20050116-1.dsc
  to pool/main/n/nagios/nagios_1.3-cvs.20050116-1.dsc
nagios_1.3-cvs.20050116.orig.tar.gz
  to pool/main/n/nagios/nagios_1.3-cvs.20050116.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 290319@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Finney <seanius@debian.org> (supplier of updated nagios package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 10 Jan 2005 15:13:21 -0800
Source: nagios
Binary: nagios-pgsql nagios-text nagios-mysql nagios-common
Architecture: source i386 all
Version: 2:1.3-cvs.20050116-1
Distribution: unstable
Urgency: low
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Sean Finney <seanius@debian.org>
Description: 
 nagios-common - A host/service/network monitoring and management system
 nagios-mysql - A host/service/network monitoring and management system
 nagios-pgsql - A host/service/network monitoring and management system
 nagios-text - A host/service/network monitoring and management system
Closes: 275009 282132 283778 285550 287324 288705 289109 289404 290319 290681 290739
Changes: 
 nagios (2:1.3-cvs.20050116-1) unstable; urgency=low
 .
   * Sean Finney:
     - built against a new upstream cvs snapshot, removed dpatch patches
       that previously incorporated these post 1.2 changes.  this also
       brings in updated upstream documentation (closes: #282132).
     - nagios-pgsql now recommends libdbd-pg-perl, and likewise for
       nagios-mysql.  thanks to raphaŽl 'SurcouF' Bordet <surcouf@debianfr.net>
       for pointing this out with nagios-pgsql (closes: #285550).
     - the postinst for nagios-common no longer fails if update-nagios
       returns an error (which can be caused by nagios failing to reload)
       thanks to Olivier Berger <olivier.berger@int-evry.fr> and
       Petter Reinholdtsen <pere@hungry.com> (closes: #283778).
     - now build against libmysqlclient14.  thanks to
       Greg Cox <ratness@hotmail.com> for pointing out that we were
       still building against 3.23 versioned libraries.
     - updated german debconf translation.  thanks for this one go to
       Erik Schanze <schanzi_usenet@gmx.de> (closes: #289404).
     - updated danish debconf translation.  thanks for this one go to
       Claus Hindsgaul <claus_h@image.dk> (closes: #290739).
     - don't disclose the database password in the error logs.  thanks to
       Mikael Magnusson <mikma@users.sourceforge.net> for pointing this
       out (closes: #290319).
     - fixes to calling configure in debian/rules.  among other things this
       should resolve issues with nagios packages not accessing hostextinfo
       as they should.  thanks to Roy Bonser <rbonser@spyder-monkey.com>
       for pointing out these symptoms (closes: #290681).
     - now include a README.pgsql, which was provided by
       Ricky Ng-Adam <rngadam@yahoo.com>.  this should clear up many
       issues that postgresql users were having with lacking documentation.
       thanks also to Marcus Better and Klaus Schiwinsky for their reports
       (closes: #287324, #288705).
     - now start with as a S30 script instead of S20, to make sure we
       give a potential mysql/postgresql server a bit more time to
       start up.  not the perfect solution, but should work for most
       cases.  thanks to Marcus Better <marcus@better.se> for pointing
       this out (closes: #289109).
     - patch the sample cgi.cfg to tell the local admin how to use
       extinfo based on which package they're using--as opposed to
       telling them exactly a method not supported in any package,
       which is what it was previously doing (closes: #275009).
Files: 
 500c99b69039f7b27b09d45d646503e4 1021 net optional nagios_1.3-cvs.20050116-1.dsc
 fcc6cad4a46fdb10cba7882cf3953383 1621903 net optional nagios_1.3-cvs.20050116.orig.tar.gz
 34e9b588e76db38c11fc9e96369e69f2 74391 net optional nagios_1.3-cvs.20050116-1.diff.gz
 3fda012378696053b32d338c1959da74 901240 net optional nagios-text_1.3-cvs.20050116-1_i386.deb
 4df1f6b06651cb7f25f365511757c070 906494 net optional nagios-mysql_1.3-cvs.20050116-1_i386.deb
 d5b47e80dfe75933e35dd07f86a9661a 917018 net optional nagios-pgsql_1.3-cvs.20050116-1_i386.deb
 658a99b57732957520d7154d45dab2f0 1214006 net optional nagios-common_1.3-cvs.20050116-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB7e35ynjLPm522B0RArvBAJ9WGyXlkvkjyfVZY62+fbdNZUfpZwCfaA8k
vE5m3XcHv7jtna9WeaWnQ7g=
=ObUj
-----END PGP SIGNATURE-----