Package: cdebconf Version: 0.97 Severity: critical Tags: pending If you preseed a password question, then instead of the password being stored in /var/lib/cdebconf/passwords.dat as it's supposed to be and thus not copied to the installed system, it is stored in /var/lib/cdebconf/questions.dat and copied to /var/log/installer/cdebconf/questions.dat. While obviously your password was already exposed by virtue of being in the preseed file, even if you're using passwd/root-password-crypted etc. then this bug makes it significantly easier for attackers to attack the encrypted password at their leisure without first having to get at the contents of /etc/shadow.
This bug arises because cdebconf 0.97 did not properly migrate a question to a different stacked database when its type changes, which happens in the case of preseeding because debian-installer/dummy is a string template. I fixed this in SVN yesterday, but since this constitutes a security flaw I think it needs a bug report too. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]