Package: mysql-server-5.0 Version: 5.0.51a-21 Severity: normal If you look at /var/cache/debconf/passwords.dat, you'll find a copy of the password in there (just root_password_again). While the file is only readable by root, this is an unnecessary way to leak the password.
Best practice for password prompting with debconf is to call db_reset to clear the password out of the database as soon as possible after you use it. This bug was probably introduced by the patch #471887. For example : debian:~# head -n 11 /var/cache/debconf/passwords.dat Name: mysql-server/root_password Template: mysql-server/root_password Value: Owners: mysql-server-5.0 Flags: seen Name: mysql-server/root_password_again Template: mysql-server/root_password_again Value: bonjour Owners: mysql-server-5.0 Flags: seen debian:~# debconf-get-selections |head -n 6 # for internal use passwd passwd/root-password-crypted password # for internal use passwd passwd/user-password-crypted password # Confirmation du mot de passe du superutilisateur de MySQL : mysql-server-5.0 mysql-server/root_password_again password bonjour -- System Information: Debian Release: 5.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.18-6-686 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages mysql-server-5.0 depends on: ii adduser 3.110 add and remove users and groups ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii libc6 2.7-18 GNU C Library: Shared libraries ii libdbi-perl 1.605-1 Perl5 database interface by Tim Bu ii libgcc1 1:4.3.2-1.1 GCC support library ii libmysqlclient15off 5.0.51a-21 MySQL database client library ii libncurses5 5.7+20081213-1 shared libraries for terminal hand ii libreadline5 5.2-3 GNU readline and history libraries ii libstdc++6 4.3.2-1.1 The GNU Standard C++ Library v3 ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii mysql-client-5.0 5.0.51a-21 MySQL database client binaries ii mysql-common 5.0.51a-21 MySQL database common files ii passwd 1:4.1.1-6 change and administer password and ii perl 5.10.0-19 Larry Wall's Practical Extraction ii psmisc 22.6-1 Utilities that use the proc filesy ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime Versions of packages mysql-server-5.0 recommends: ii bsd-mailx [mailx] 8.1.2-0.20071201cvs-3 A simple mail user agent ii libhtml-template-p 2.9-1 HTML::Template : A module for usin ii mailx 1:20071201-3 Transitional package for mailx ren Versions of packages mysql-server-5.0 suggests: pn tinyca <none> (no description available) -- debconf information: * mysql-server/root_password_again: (password omitted) * mysql-server/root_password: (password omitted) mysql-server-5.0/really_downgrade: false * mysql-server-5.0/need_sarge_compat: false mysql-server-5.0/start_on_boot: true mysql-server/error_setting_password: mysql-server-5.0/nis_warning: mysql-server-5.0/postrm_remove_databases: false mysql-server-5.0/need_sarge_compat_done: true * mysql-server/password_mismatch: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
