hi * is a security problem, password is send in clear to ouside dns server.
unbound: [29988:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 0#012;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 #012;; QUESTION SECTION:#012;; MYDOMAIN:mynotsecretpassordanym...@apt.exemple.org.#011IN#011A#012#012;; ANSWER SECTION:#012#012;; AUTHORITY SECTION:#012........ bst regards. Le 05/05/2011 14:53, David Kalnischkies a écrit : > reassign 624573 libcurl3-gnutls 7.21.0-1 > retitle 624573 errorbuffer message includes user/password > thanks > > Hi *, > > in case of error, apt-transport-https prints the error message gathered > with CURL_ERRORBUFFER. > If we have an unresolvable host the message in stable > (with libcurl3-gnutls 7.21.0) is as follows: > Couldn't resolve host 'example.org:sec...@unresolvable.debian.org' > > As you can see here, it includes username and password. > Even further, the username is garbled as the username is in reality: > m...@example.org -- so the 'me@' is cut off. > > (It's not really a security issue in my eyes, as the user who can see this > message can easily also look up the files himself, but on the other > hand it is not really useful to include here - especially not broken.) > > > You can reproduce this by installing apt-transport-https and > $ mkdir -p /tmp/apt/lists > $ cd /tmp/apt > $ cat test.list > deb https://unresolvable.debian.org/debian/ squeeze main > $ cat auth.conf > machine unresolvable.debian.org > login m...@example.org > password secret > $ LANG=C apt-get update -o dir::etc::sourcelist=/tmp/apt/test.list -o > dir::etc::sourceparts=/dev/null -o dir::etc::netrc=/tmp/apt/auth.conf > -o dir::state::lists=/tmp/apt/lists -s > > > Also interesting, if i move back to the current unstable version > of libcurl3-gnutls (7.21.6-1) i am getting a different error: > Failed to connect to 2620:0:2d0:200::10: Network is unreachable > > If i remove the 'me@' part from auth.conf the message is > Couldn't resolve host 'unresolvable.debian.org' > > So, for newer versions username and password seems to get removed > from the error message, but it seems to be still confused by the @. > > > Best regards > > David Kalnischkies > > > P.S.: Sorry, i have no https setup currently to test if it would work > if the host wouldn't be unresolvable… > > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
