Package: debmirror Version: 1:2.43 Tags: security Severity: grave When using debmirror to create a mirror of a private registry that uses HTTP/HTTPS basic authentication, use of the --progress flag will cause the username and password to be printed in the download progress display. The example below is using a private Gitea package registry:
# ... Getting meta files ... [ 0%] Getting: dists/noble/Release... #** GET https://USERNAME:passw...@url.com/api/packages/Organization/debian/dists/noble/Release ==> 200 OK (1s) ok [ 0%] Getting: dists/noble/InRelease... #** GET GET https://USERNAME:passw...@url.com/api/packages/Organization/debian/dists/noble/InRelease ==> 200 OK okGET https://USERNAME:passw...@url.com/api/packages/Organization/debian/dists/noble/Release.gpg ==> 200 OK ok Parsing Packages and Sources files ... Missing: pool/noble/main/package_0.1.0-1_amd64.deb Missing: pool/noble/main/package_0.1.1-1_amd64.deb Missing: pool/noble/main/package_0.1.2-1_amd64.deb Missing: pool/noble/main/package_0.1.3-1_amd64.deb Missing: pool/noble/main/package_0.1.4-1_amd64.deb Missing: pool/noble/main/package_0.1.5-1_amd64.deb Missing: pool/noble/main/package_0.1.6-1_amd64.deb Missing: pool/noble/main/package_0.1.7-1_amd64.deb Missing: pool/noble/main/package_0.1.8-1_amd64.deb Missing: pool/noble/main/package_0.1.9-1_amd64.deb Missing: pool/noble/main/package_0.1.10-1_amd64.deb Get Translation files ... Get DEP-11 metadata files ... Get command-not-found metadata files ... Files to download: 71 MiB [ 0%] Getting: pool/noble/main/package_0.1.0-1_amd64.deb... #** GET https://USERNAME:passw...@url.com/api/packages/Organization/debian/pool/noble/main/package_0.1.0-1_amd64.deb ==> 200 OK (12s) # ... This is due to debmirror performing basic authentication by putting the credentials in the URL, then show_progress being called on the LWP::UserAgent performing the web requests. I suspect the issue could be resolved by using the "credentials" method of the user agent instead of putting the credentials in the request URL.
