This bug was fixed in the package apport - 2.20.9-0ubuntu2
---------------
apport (2.20.9-0ubuntu2) bionic; urgency=medium
* data/general-hooks/generic.py: Have JournalErrors include warnings but
only for apport-crash reports which are private by default. (LP: #1738581)
* setup.py: update version with javac
-- Brian Murray <br...@ubuntu.com> Wed, 28 Mar 2018 11:45:29 -0700
** Changed in: apport (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1738581
Title:
apport is leaking environment variables (including passwords!) to
public bug reports
Status in apport package in Ubuntu:
Fix Released
Bug description:
See the bug report
https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1738564
created with ubuntu-bug.
Apport includes the file JournalErrors.txt
This file includes e.g. the following line.
Dez 16 19:11:31 hostname /usr/lib/gdm3/gdm-x-session[9679]:
dbus-update-activation-environment: setting
MPD_HOST=xxxx...@xxxx.xxxxxxxxxxx.org
Normally it would be not problem that gdm-x-session write this to the
journal, because the journal is not intended to be published on the internet.
Setting confidential informations via environment is maybe not the
best idea, but a legal procedure and for `mpc` the only way to set
this information.
IMHO the apport utility is here the problem, because it includes the
file with risky information to a public visible bug report.
Note: I manually delete the attachment in the mentioned bug report. But how
can I sure that a web crawlser hasn't read/preserved that attachment?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1738581/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
