** Description changed: - Your automated bug reports are posting Logs.var.log.mysql.error.log.txt - in clear text. These logs may contain PII as well as user credentials. + MySQL has some logic for ensuring passwords aren't written to the logs, + detailed at https://dev.mysql.com/doc/refman/5.7/en/password- + logging.html (passwords are rewritten before they are logged). However, + a failed grant statement is written unaltered to the error log, + bypassing the password rewriting logic. + + [Impact] + Ubuntu's bug reporting system will suggest uploading the error log to a bug report. This can lead to user credentials written in plain text in public bug reports. + + [Test case] + (note/todo: I had a simpler test for this, but can't find the exact syntax for it) + * Add the following to the server config: + plugin-load=validate_password.so + validate-password=FORCE_PLUS_PERMANENT + and restart the server + * Log in and run GRANT ALL ON *.* TO 'user'@'localhost' IDENTIFIED BY '123'; + * Observe statement failing because it doesn't follow password validation rules + + Expected behavior: + Password is scrambled or otherwise not written to the error log + + Actual behavior: + The entire failed grant statement is written to the error log + + [Regression Potential] + The fix replaces all lines in the log that contain any of the terms mentioned on the password-logging site, so it will rewrite more lines than strictly necessary, potentially making debugging harder. + + + [Original description] + Your automated bug reports are posting Logs.var.log.mysql.error.log.txt in clear text. These logs may contain PII as well as user credentials.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574458 Title: Logs.var.log.mysql.error.log.txt contains usernames and passwords To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1574458/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
