[Pkg-nagios-devel] Bug#290319: marked as done (nagios-mysql: Leaks cleartext password in /var/log/messages)
Debian Bug Tracking System
owner@bugs.debian.org
Tue, 18 Jan 2005 22:03:23 -0800
Your message dated Wed, 19 Jan 2005 00:47:13 -0500
with message-id <E1Cr8gT-0003si-00@newraff.debian.org>
and subject line Bug#290319: fixed in nagios 2:1.3-cvs.20050116-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Jan 2005 15:24:35 +0000
>From mikaelmagnusson@tjohoo.se Thu Jan 13 07:24:35 2005
Return-path: <mikaelmagnusson@tjohoo.se>
Received: from (mulder.hem.za.org) [84.217.28.150]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cp6pv-0001L9-00; Thu, 13 Jan 2005 07:24:35 -0800
Received: from mikael by mulder.hem.za.org with local (Exim 4.34)
id 1Cp6pp-0005w5-Qd; Thu, 13 Jan 2005 16:24:29 +0100
Date: Thu, 13 Jan 2005 16:24:29 +0100
From: Mikael Magnusson <mikma@users.sourceforge.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nagios-mysql: Leaks cleartext password in /var/log/messages
Message-ID: <20050113152429.GA22763@hem.za.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 3.2
User-Agent: Mutt/1.5.6+20040907i
Sender: Mikael Magnusson <mikaelmagnusson@tjohoo.se>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: nagios-mysql
Version: 2:1.3-0+pre6
Severity: important
nagios-mysql leaks the database password in /var/log/messages if it can't
connect to the mysql server.
nagios: Error: Could not connect to MySQL database 'nagios' on host '' using username 'nagios' and password 'xxxxxxxxx'. Retention data will not be processed or saved!
The line above is logged in /var/log/messages and the password is in
cleartext. I think the password should be replaced with asterisks.
Regards,
Mikael Magnusson
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (800, 'testing'), (700, 'unstable')
Architecture: i386 (i586)
Kernel: Linux 2.6.9-1-mulder
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages nagios-mysql depends on:
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libgd2-xpm 2.0.33-1.1 GD Graphics Library version 2
ii libjpeg62 6b-9.hem.za.org-1 The Independent JPEG Group's JPEG
ii libmysqlclient10 3.23.56-2 LGPL-licensed client library for M
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii nagios-common 2:1.3-0+pre6 A host/service/network monitoring
ii zlib1g 1:1.2.2-3 compression library - runtime
-- debconf information:
nagios/warnmovedcommands:
nagios/warncoords:
* nagios/wwwsuid: true
nagios/newapachecfg:
nagios/upgradefromnetsaint:
* nagios/configapache: Apache
nagios/warnupgrade_5_6:
---------------------------------------
Received: (at 290319-close) by bugs.debian.org; 19 Jan 2005 05:55:00 +0000
>From katie@ftp-master.debian.org Tue Jan 18 21:55:00 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cr8o0-0005rL-00; Tue, 18 Jan 2005 21:55:00 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1Cr8gT-0003si-00; Wed, 19 Jan 2005 00:47:13 -0500
From: Sean Finney <seanius@debian.org>
To: 290319-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#290319: fixed in nagios 2:1.3-cvs.20050116-1
Message-Id: <E1Cr8gT-0003si-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Wed, 19 Jan 2005 00:47:13 -0500
Delivered-To: 290319-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 9
Source: nagios
Source-Version: 2:1.3-cvs.20050116-1
We believe that the bug you reported is fixed in the latest version of
nagios, which is due to be installed in the Debian FTP archive:
nagios-common_1.3-cvs.20050116-1_all.deb
to pool/main/n/nagios/nagios-common_1.3-cvs.20050116-1_all.deb
nagios-mysql_1.3-cvs.20050116-1_i386.deb
to pool/main/n/nagios/nagios-mysql_1.3-cvs.20050116-1_i386.deb
nagios-pgsql_1.3-cvs.20050116-1_i386.deb
to pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050116-1_i386.deb
nagios-text_1.3-cvs.20050116-1_i386.deb
to pool/main/n/nagios/nagios-text_1.3-cvs.20050116-1_i386.deb
nagios_1.3-cvs.20050116-1.diff.gz
to pool/main/n/nagios/nagios_1.3-cvs.20050116-1.diff.gz
nagios_1.3-cvs.20050116-1.dsc
to pool/main/n/nagios/nagios_1.3-cvs.20050116-1.dsc
nagios_1.3-cvs.20050116.orig.tar.gz
to pool/main/n/nagios/nagios_1.3-cvs.20050116.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 290319@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sean Finney <seanius@debian.org> (supplier of updated nagios package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 10 Jan 2005 15:13:21 -0800
Source: nagios
Binary: nagios-pgsql nagios-text nagios-mysql nagios-common
Architecture: source i386 all
Version: 2:1.3-cvs.20050116-1
Distribution: unstable
Urgency: low
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Sean Finney <seanius@debian.org>
Description:
nagios-common - A host/service/network monitoring and management system
nagios-mysql - A host/service/network monitoring and management system
nagios-pgsql - A host/service/network monitoring and management system
nagios-text - A host/service/network monitoring and management system
Closes: 275009 282132 283778 285550 287324 288705 289109 289404 290319 290681 290739
Changes:
nagios (2:1.3-cvs.20050116-1) unstable; urgency=low
.
* Sean Finney:
- built against a new upstream cvs snapshot, removed dpatch patches
that previously incorporated these post 1.2 changes. this also
brings in updated upstream documentation (closes: #282132).
- nagios-pgsql now recommends libdbd-pg-perl, and likewise for
nagios-mysql. thanks to raphaël 'SurcouF' Bordet <surcouf@debianfr.net>
for pointing this out with nagios-pgsql (closes: #285550).
- the postinst for nagios-common no longer fails if update-nagios
returns an error (which can be caused by nagios failing to reload)
thanks to Olivier Berger <olivier.berger@int-evry.fr> and
Petter Reinholdtsen <pere@hungry.com> (closes: #283778).
- now build against libmysqlclient14. thanks to
Greg Cox <ratness@hotmail.com> for pointing out that we were
still building against 3.23 versioned libraries.
- updated german debconf translation. thanks for this one go to
Erik Schanze <schanzi_usenet@gmx.de> (closes: #289404).
- updated danish debconf translation. thanks for this one go to
Claus Hindsgaul <claus_h@image.dk> (closes: #290739).
- don't disclose the database password in the error logs. thanks to
Mikael Magnusson <mikma@users.sourceforge.net> for pointing this
out (closes: #290319).
- fixes to calling configure in debian/rules. among other things this
should resolve issues with nagios packages not accessing hostextinfo
as they should. thanks to Roy Bonser <rbonser@spyder-monkey.com>
for pointing out these symptoms (closes: #290681).
- now include a README.pgsql, which was provided by
Ricky Ng-Adam <rngadam@yahoo.com>. this should clear up many
issues that postgresql users were having with lacking documentation.
thanks also to Marcus Better and Klaus Schiwinsky for their reports
(closes: #287324, #288705).
- now start with as a S30 script instead of S20, to make sure we
give a potential mysql/postgresql server a bit more time to
start up. not the perfect solution, but should work for most
cases. thanks to Marcus Better <marcus@better.se> for pointing
this out (closes: #289109).
- patch the sample cgi.cfg to tell the local admin how to use
extinfo based on which package they're using--as opposed to
telling them exactly a method not supported in any package,
which is what it was previously doing (closes: #275009).
Files:
500c99b69039f7b27b09d45d646503e4 1021 net optional nagios_1.3-cvs.20050116-1.dsc
fcc6cad4a46fdb10cba7882cf3953383 1621903 net optional nagios_1.3-cvs.20050116.orig.tar.gz
34e9b588e76db38c11fc9e96369e69f2 74391 net optional nagios_1.3-cvs.20050116-1.diff.gz
3fda012378696053b32d338c1959da74 901240 net optional nagios-text_1.3-cvs.20050116-1_i386.deb
4df1f6b06651cb7f25f365511757c070 906494 net optional nagios-mysql_1.3-cvs.20050116-1_i386.deb
d5b47e80dfe75933e35dd07f86a9661a 917018 net optional nagios-pgsql_1.3-cvs.20050116-1_i386.deb
658a99b57732957520d7154d45dab2f0 1214006 net optional nagios-common_1.3-cvs.20050116-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB7e35ynjLPm522B0RArvBAJ9WGyXlkvkjyfVZY62+fbdNZUfpZwCfaA8k
vE5m3XcHv7jtna9WeaWnQ7g=
=ObUj
-----END PGP SIGNATURE-----