Your message dated Thu, 09 Dec 2021 05:48:47 +0000 with message-id <e1mvcir-000clu...@fasolo.debian.org> and subject line Bug#962629: fixed in rainloop 1.16.0+dfsg-1 has caused the Debian Bug report #962629, regarding rainloop: Rainloop stores passwords in cleartext in logfile to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 962629: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962629 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: rainloop Version: 1.12.1-2 Severity: important Dear Maintainer, When writing into a logfile, rainloop writes the passwords of all login attempts (successful or not) into the logfile in cleartext. Rainloop provides an option 'hide_passwords' in the application.ini that should prohibit that behaviour, which is by default set to 'On'. But apparently this doesn't have any effect. There is already an unresolved github issue about that topic: https://github.com/RainLoop/rainloop-webmail/issues/1872 Even though this issue doesn't affect the actual usability of rainloop, I set the severity to 'Important' as this is a security issue. -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages rainloop depends on: ii apache2 [httpd] 2.4.38-3+deb10u3 ii ckeditor 4.11.1+dfsg-1 ii php-curl 2:7.3+69 ii php-fpm 2:7.3+69 ii php-nrk-predis 1.0.0-1 ii php-pclzip 2.8.2-4 ii php-seclib 1.0.14-1 ii php-xml 2:7.3+69 ii php7.3-curl [php-curl] 7.3.14-1~deb10u1 ii php7.3-fpm [php-fpm] 7.3.14-1~deb10u1 ii php7.3-json [php-json] 7.3.14-1~deb10u1 ii php7.3-xml [php-xml] 7.3.14-1~deb10u1 rainloop recommends no packages. Versions of packages rainloop suggests: pn php5-sqlite | php5-mysql | php5-pgsql <none> -- Configuration Files: /etc/rainloop/application.ini changed [not included] /etc/rainloop/rainloop.apache.conf changed [not included] -- no debconf information
--- End Message ---
--- Begin Message ---Source: rainloop Source-Version: 1.16.0+dfsg-1 Done: Daniel Ring <dr...@wolfishly.me> We believe that the bug you reported is fixed in the latest version of rainloop, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 962...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Ring <dr...@wolfishly.me> (supplier of updated rainloop package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 09 Dec 2021 06:24:53 +0100 Source: rainloop Architecture: source Version: 1.16.0+dfsg-1 Distribution: unstable Urgency: high Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Daniel Ring <dr...@wolfishly.me> Closes: 962629 997726 998863 Changes: rainloop (1.16.0+dfsg-1) unstable; urgency=high . [ Daniel Ring ] * SECURITY NOTICE: In versions of Rainloop prior to 1.14.0, the "hide_passwords = On" configuration option does not work correctly. This may cause plaintext passwords to be stored in log files when logging is enabled. . Note that the default configuration provided with this package disables logging; only users who have explicitly enabled it will be affected. . For more information, see the upstream issue on GitHub: https://github.com/RainLoop/rainloop-webmail/issues/1872 . This issue is fixed in Rainloop 1.14.0 and later. (Closes: #962629) . * Update include paths of dependences (Closes: #997726) * Depend on php-predis instead of php-nrk-predis (Closes: #998863) * DFSG repack to remove vendored dependencies * DFSG repack PHP libraries already in Debian * Use system libjs-jquery-ui * New upstream version 1.14.0+dfsg-1 * Update node-opentip library path . [ Yadd ] * Update standards version to 4.6.0, no changes needed. * New upstream version 1.16.0+dfsg * Refresh patches * Require node-opentip ≥ 2.4.6-3~ Checksums-Sha1: 5c43b961cc3ede8b3a88907829796eead17497a3 2627 rainloop_1.16.0+dfsg-1.dsc 9e329e3e26c8cfb21de79e36db61accd180d9a33 2560408 rainloop_1.16.0+dfsg.orig.tar.xz 39f6b07d984d4558b9630d6bddc8bb1c6ab3b368 45864 rainloop_1.16.0+dfsg-1.debian.tar.xz Checksums-Sha256: 2d35952a41d468f3ced8ef276034a3ef896ef4d9a0d16b03488daef265f8655c 2627 rainloop_1.16.0+dfsg-1.dsc d9d7da97f708f4ab96ce38778194389c106ff8170754196d4d1d3b13662b3b59 2560408 rainloop_1.16.0+dfsg.orig.tar.xz 2c67ff8c17094918db85ae7abfa1c4a680b6eb5ac9fe3fd07deee1193af52dfc 45864 rainloop_1.16.0+dfsg-1.debian.tar.xz Files: 5deac3a4728441ad7193cd09eedf0622 2627 javascript optional rainloop_1.16.0+dfsg-1.dsc 77d77d0e238ce36112750a9497fe6f37 2560408 javascript optional rainloop_1.16.0+dfsg.orig.tar.xz b2f3c262082684a89a68b57abd7889fb 45864 javascript optional rainloop_1.16.0+dfsg-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmGxlEUACgkQ9tdMp8mZ 7um+OQ/+ND0IKbweDro4Zq4qnG0M7F/D6e3h9O6wIcB+sBBE9VulwQ8sSZj5hINQ jG1PpWH2j0ZwYK+ZQVNhzlx4XUmLFYDfPwFmjvIKaejoQq68waUgpHQbOxH5DrkQ eX1z+3f2sYnY/KB+jeurhSXmSGX7LFH1VVqnNaqKvN70B3jqBQPkPVI5X6E8DZDY cuOgjNJXhl0HP1FOd53qo50Bf+5IaM4fULkp+eEpU5NUPQToQABXi+6OV6xz+tEB w9Xk6ZHnhsqpFg3DYg2mqdEEuN9U0QrBqcCMEtp5xDi1HDQeCx4XJo7t2LkiTz9t aBD/jKNw2OepztMKqlJHPIUG/0U8XMlh3r+GVRT7ZAzsl2szpKdDugkVEcqByWki lRO4eQep4vA7SGTV63lFdVOzo/SvCJIiuZkr5gRV3FGd8rs7CpDx4zrpVNIoSJVi GuzufM8AOsJg9Rvj66xPZYonpRDMFW7jMbMADieuPbWcrZZzaIo9Ay7dBVgrZWx4 Odc8fYRUUnaZpmclSAFTSFKX8F13SeEn/X+QApGA8ZiE1qVQY4NkQ6rlVUeSc2Jq Th52XCzoslSo2bxix3Y7WG6b3FUPslrfo1EfNCplGgK4mQbLQStnmVN26GGqPoW/ vfTZ1YlCgs5u9BM0nt1DFsTAvco4NUwysqCnhKStodXHeKA9kVQ= =DcMS -----END PGP SIGNATURE-----
--- End Message ---
