Moritz Muehlenhoff writes:
> On Wed, Oct 13, 2010 at 04:30:26PM +0200, Ansgar Burchardt wrote:
>> libapache-authenhook-perl logs passwords in Apache's error.log if the
>> log level is >= info[1]. I prepared an update for Lenny including the
>> same patch used for testing/unstable (already unbloc
On Wed, Oct 13, 2010 at 07:34:39PM +0200, Moritz Muehlenhoff wrote:
> On Wed, Oct 13, 2010 at 04:30:26PM +0200, Ansgar Burchardt wrote:
> > Hi,
> >
> > libapache-authenhook-perl logs passwords in Apache's error.log if the
> > log level is >= info[1]. I prepared an update for Lenny including the
>
On Wed, Oct 13, 2010 at 04:30:26PM +0200, Ansgar Burchardt wrote:
> Hi,
>
> libapache-authenhook-perl logs passwords in Apache's error.log if the
> log level is >= info[1]. I prepared an update for Lenny including the
> same patch used for testing/unstable (already unblocked[2] as well).
>
> Sho
Hi,
libapache-authenhook-perl logs passwords in Apache's error.log if the
log level is >= info[1]. I prepared an update for Lenny including the
same patch used for testing/unstable (already unblocked[2] as well).
Should this go through stable-security or does the security team see
this as a mino
Package: libapache-authenhook-perl
Version: 2.00-04+pristine-1+b1
Severity: grave
Tags: security
Justification: user security hole
Apache::AuthenHook seemingly logs _all_ usernames and passwords, in clear text,
to the vhost's error log:
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
5 matches
Mail list logo
