Akash, Just as a general point of etiquette, it's customary to notify vendors of security related issues privately before publicly announcing them. Posting the details of security-related issues to a public mailinglist without giving the folks who make a package to address a potential vulnerability is irresponsible and potentially dangerous.
Thankfully, at first glance, it looks like the issue you've run into isn't particularly dangerous. RT ships with stack trace logging disabled and _generally_ the folks who have access to application logs are also the folks who manage the application. I do believe that the issue you've noticed merits a note in the config file that it's possible for sensitive data to get logged if that function is enabled. I intend to make that change for RT 3.8.3, but don't currently believe that this issue requires an accelerated release schedule. Best, Jesse Vincent Best Practical On Mon 2.Feb'09 at 17:26:14 -0500, Akash wrote: > Hi all, > > When I enabled logging of stack traces, the user passwords are being > written in cleartext in the log files! > I enabled stack tracing by adding the the following line in > RT_SiteConfig.pm: > > Set($LogStackTraces, 4); > > Can somebody please fix this serious error so that passwords are > encrypted? I am using RT 3.8.1 installed > from ports on a FreeBSD machine. (Actually I think I got a patch from > someone in this mailing list.) If > the error has been fixed in 3.8.2, please let me know. > > Also, if a 3.8.2 port is available, is it stable enough to update my 3.8.1 > version? > > Thanks, > Akash. > _______________________________________________ > http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users > > Community help: http://wiki.bestpractical.com > Commercial support: [email protected] > > > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. > Buy a copy at http://rtbook.bestpractical.com --
pgpL7cVFcy2bI.pgp
Description: PGP signature
_______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [email protected] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
