Issue #6857 has been updated by Jacob Helwig. Status changed from In Topic Branch Pending Merge to Merged - Pending Release
This has been merged into the following branches as of the commits listed below: `2.6.x` in commit:a87ef54385cbf325d6b085200606562b0d4d7876 `2.7.x` in commit:5e2a3d200b74eef9549e3e2a5bdbe2a23ae7fac1 `master` in commit:9c78759af57967d64eceeeb704a6673b81a76f30 ---------------------------------------- Bug #6857: password disclosure when changing a user's password https://projects.puppetlabs.com/issues/6857 Author: Mark Heily Status: Merged - Pending Release Priority: Normal Assignee: Ben Hughes Category: Target version: 2.6.x Affected Puppet version: 2.6.4 Keywords: Branch: https://github.com/barn/puppet When puppet-agent changes a user's password in /etc/shadow, the hashed values of the old and new passwords are printed in a log message. An example: notice: /Stage[main]/User[root]/password: is $1$abcdef12$SeCrEtPaSSword, should be $1$cbgb133$VerySecretPassword This is a security risk, since Puppet log messages can be exposed to non-privileged users through a variety of mechanisms. It would be best if the passwords were stripped out of the log message, and replaced with something generic like this: notice: /Stage[main]/User[root]/password: should be changed -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
