Am Donnerstag, den 11.12.2008, 05:25 +0100 schrieb Yohann Lepage: > If you look at /var/cache/debconf/passwords.dat, you'll find a copy of > the password in there (just root_password_again). While the file is > only readable by root, this is an unnecessary way to leak the > password. > > Best practice for password prompting with debconf is to call db_reset > to clear the password out of the database as soon as possible after > you use it. > > This bug was probably introduced by the patch #471887.
Not sure why I got this mail today, about 1 1/2 months after you sent it, but you're right, this problem was introduced by the patch from #471887. I added a fix to our svn repository and will upload it tomorrow! Thanks, Norbert -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
