Bug#599712: libapache-authenhook-perl: leaks passwords to the logs
Moritz Muehlenhoff
jmm at inutil.org
Wed Oct 13 20:40:59 UTC 2010
On Wed, Oct 13, 2010 at 07:34:39PM +0200, Moritz Muehlenhoff wrote:
> On Wed, Oct 13, 2010 at 04:30:26PM +0200, Ansgar Burchardt wrote:
> > Hi,
> >
> > libapache-authenhook-perl logs passwords in Apache's error.log if the
> > log level is >= info[1]. I prepared an update for Lenny including the
> > same patch used for testing/unstable (already unblocked[2] as well).
> >
> > Should this go through stable-security or does the security team see
> > this as a minor issue that should be fixed in the next point release?
> > In the former case, shall I upload a package based on the attached patch
> > to stable-security?
>
> Since the impact is minor, please fix it through a point update.
>
> I'll request a CVE ID for it and keep you CCed, maybe you can
> hold off the upload for a few days until it's available? (The
> next point update will take a few weeks anyway)
CVE-2010-3845
Cheers,
Moritz
More information about the pkg-perl-maintainers
mailing list