Package: bitlbee
Version: 3.0.1-1
Severity: minor
--- Please enter the report below this line. ---
In /etc/bitlbee/bitlbee.conf there are lines:
# AuthPassword = ItllBeBitlBee ## Heh.. Our slogan. ;-)
## or
# AuthPassword = md5:gzkK0Ox/1xh+1XTsQjXxBJ571Vgl
# OperPassword = ChangeMe!
## or
# OperPassword = md5:I0mnZbn1t4R731zzRdDN2/pK7lRX
No password is set by default. User should be prompted for those
passwords on install (or at least notified, that should set them up).
This is non-critical as by default bitlbee does not listen on external
interface, nevertheless it is security issue on multi-user systems.
BTW Upstream should consider other hashing alghoritms + adding salt.
Unsalted MD5 is common and relatively easily breakable.
--- System information. ---
Architecture: i386
Kernel: Linux 2.6.32-5-686
Debian Release: 6.0
--- Package information. ---
Depends (Version) | Installed
=====================================-+-===================
libc6 (>= 2.9) | 2.11.2-10
libevent-1.4-2 (>= 1.4.13-stable) | 1.4.13-stable-1
libgcrypt11 (>= 1.4.2) | 1.4.5-2
libglib2.0-0 (>= 2.24.0) | 2.24.2-1
libgnutls26 (>= 2.7.14-0) | 2.8.6-1
debianutils (>= 1.16) | 3.4
bitlbee-common (= 3.0.1-1) | 3.0.1-1
Package's Recommends field is empty.
Package's Suggests field is empty.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
