Bug#599712: libapache-authenhook-perl: leaks passwords to the logs
Moritz Muehlenhoff
jmm at inutil.org
Wed Oct 13 17:34:39 UTC 2010
On Wed, Oct 13, 2010 at 04:30:26PM +0200, Ansgar Burchardt wrote:
> Hi,
>
> libapache-authenhook-perl logs passwords in Apache's error.log if the
> log level is >= info[1]. I prepared an update for Lenny including the
> same patch used for testing/unstable (already unblocked[2] as well).
>
> Should this go through stable-security or does the security team see
> this as a minor issue that should be fixed in the next point release?
> In the former case, shall I upload a package based on the attached patch
> to stable-security?
Since the impact is minor, please fix it through a point update.
I'll request a CVE ID for it and keep you CCed, maybe you can
hold off the upload for a few days until it's available? (The
next point update will take a few weeks anyway)
Cheers,
Moritz
More information about the pkg-perl-maintainers
mailing list