Hi, libapache-authenhook-perl logs passwords in Apache's error.log if the log level is >= info[1]. I prepared an update for Lenny including the same patch used for testing/unstable (already unblocked[2] as well).
Should this go through stable-security or does the security team see this as a minor issue that should be fixed in the next point release? In the former case, shall I upload a package based on the attached patch to stable-security? Regards, Ansgar [1] <http://bugs.debian.org/599712> [2] <http://bugs.debian.org/599779>
Index: debian/changelog =================================================================== --- debian/changelog (revision 63673) +++ debian/changelog (working copy) @@ -1,3 +1,9 @@ +libapache-authenhook-perl (2.00-04+pristine-1+lenny1) stable-security; urgency=high + + * Remove passwords from log messages. (Closes: #599712) + + -- Ansgar Burchardt <[email protected]> Wed, 13 Oct 2010 15:36:05 +0200 + libapache-authenhook-perl (2.00-04+pristine-1) unstable; urgency=low [ gregor herrmann ] Index: AuthenHook.xs =================================================================== --- AuthenHook.xs (revision 63673) +++ AuthenHook.xs (working copy) @@ -180,8 +180,8 @@ case OK: ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, - "Apache::AuthenHook - user '%s', password '%s' verified", - user, password); + "Apache::AuthenHook - user '%s' verified", + user); status = AUTH_GRANTED; break; @@ -196,8 +196,8 @@ default: ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, - "Apache::AuthenHook - user '%s', password '%s' denied", - user, password); + "Apache::AuthenHook - user '%s' denied", + user); status = AUTH_DENIED; };

