Debian Bug report logs - #599712
libapache-authenhook-perl: leaks passwords to the logs

version graph

Package: libapache-authenhook-perl; Maintainer for libapache-authenhook-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libapache-authenhook-perl is src:libapache-authenhook-perl.

Reported by: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

Date: Sun, 10 Oct 2010 12:00:02 UTC

Severity: grave

Tags: security

Found in version libapache-authenhook-perl/2.00-04+pristine-1

Fixed in versions libapache-authenhook-perl/2.00-04+pristine-2, libapache-authenhook-perl/2.00-04+pristine-1+lenny1

Done: Ansgar Burchardt <ansgar@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://rt.cpan.org/Public/Bug/Display.html?id=62040

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#599712; Package libapache-authenhook-perl. (Sun, 10 Oct 2010 12:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sun, 10 Oct 2010 12:00:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libapache-authenhook-perl: leaks passwords to the logs
Date: Sun, 10 Oct 2010 13:27:46 +0200
Package: libapache-authenhook-perl
Version: 2.00-04+pristine-1+b1
Severity: grave
Tags: security
Justification: user security hole

Apache::AuthenHook seemingly logs _all_ usernames and passwords, in clear text,
to the vhost's error log:

      ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                    "Apache::AuthenHook - user '%s', password '%s' verified",
                    user, password);

As far as I can see, this behavior is not documented, and impossible to turn
off (it's hard-coded in the C file) except by raising the log level.
I've verified that they do indeed show up in the vhost's logs:

  [Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43] Apache::AuthenHook - user 'Sesse', password '<censored for this bug report>' verified

There's no good reason for this except for debugging, and even in that case,
it should only be possible to enable for the Apache admin.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35 (SMP w/1 CPU core)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#599712; Package libapache-authenhook-perl. (Mon, 11 Oct 2010 05:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to bug-Apache-AuthenHook@rt.cpan.org:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 11 Oct 2010 05:15:03 GMT) Full text and rfc822 format available.

Message #10 received at 599712@bugs.debian.org (full text, mbox):

From: "Ivan Kohler via RT" <bug-Apache-AuthenHook@rt.cpan.org>
To: 599712@bugs.debian.org
Subject: [rt.cpan.org #62040] [PATCH] leaks passwords to the logs
Date: Mon, 11 Oct 2010 01:12:03 -0400
[Message part 1 (text/plain, inline)]
<URL: https://rt.cpan.org/Ticket/Display.html?id=62040 >

Here is a simple fix for this issue.  I opted to keep the messages and
just omit the password.


[AuthenHook.patch (text/x-patch, inline)]
Index: AuthenHook.xs
===================================================================
--- AuthenHook.xs	(revision 63560)
+++ AuthenHook.xs	(working copy)
@@ -180,8 +180,8 @@
 
     case OK:
       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "Apache::AuthenHook - user '%s', password '%s' verified",
-                    user, password);
+                    "Apache::AuthenHook - user '%s' verified",
+                    user);
 
       status = AUTH_GRANTED;
       break;
@@ -196,8 +196,8 @@
 
     default:
       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "Apache::AuthenHook - user '%s', password '%s' denied",
-                    user, password);
+                    "Apache::AuthenHook - user '%s' denied",
+                    user);
 
       status = AUTH_DENIED;
   };

Set Bug forwarded-to-address to 'http://rt.cpan.org/Public/Bug/Display.html?id=62040'. Request was from Ivan Kohler <ivan-debian@420.am> to control@bugs.debian.org. (Mon, 11 Oct 2010 05:30:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#599712; Package libapache-authenhook-perl. (Mon, 11 Oct 2010 05:39:03 GMT) Full text and rfc822 format available.

Message #15 received at 599712@bugs.debian.org (full text, mbox):

From: "Bugs in Apache-AuthenHook via RT" <bug-Apache-AuthenHook@rt.cpan.org>
To: 599712@bugs.debian.org
Subject: [rt.cpan.org #62040] AutoReply: leaks passwords to the logs
Date: Mon, 11 Oct 2010 01:02:56 -0400
Greetings,

This message has been automatically generated in response to the
creation of a trouble ticket regarding:
	"leaks passwords to the logs", 
a summary of which appears below.

There is no need to reply to this message right now.  Your ticket has been
assigned an ID of [rt.cpan.org #62040].  Your ticket is accessible
on the web at:

    https://rt.cpan.org/Ticket/Display.html?id=62040

Please include the string:

         [rt.cpan.org #62040]

in the subject line of all future correspondence about this issue. To do so, 
you may reply to this message.

                        Thank you,
                        bug-Apache-AuthenHook@rt.cpan.org

-------------------------------------------------------------------------
Apache::AuthenHook seemingly logs _all_ usernames and passwords, in
clear text, to the vhost's error log:

 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
               "Apache::AuthenHook - user '%s', password '%s' verified",
               user, password);

As far as I can see, this behavior is not documented, and impossible to
turn off (it's hard-coded in the C file) except by raising the log
level.  I've verified that they do indeed show up in the vhost's logs:

  [Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43]
Apache::AuthenHook - user 'Sesse', password '<censored for this bug
report>' verified

There's no good reason for this except for debugging, and even in that
case, it should only be possible to enable for the Apache admin.






Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#599712; Package libapache-authenhook-perl. (Mon, 11 Oct 2010 05:39:05 GMT) Full text and rfc822 format available.

Message #18 received at 599712@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 599712@bugs.debian.org, 599712-submitter@bugs.debian.org
Subject: Bug in libapache-authenhook-perl fixed in revision 63561
Date: Mon, 11 Oct 2010 05:37:17 +0000
tag 599712 + pending
thanks

Some bugs are closed in revision 63561
by Ivan Kohler (ivan)

Commit message:

Remove passwords from log messages (Closes: #599712)




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 11 Oct 2010 05:39:06 GMT) Full text and rfc822 format available.

Message sent on to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
Bug#599712. (Mon, 11 Oct 2010 05:39:08 GMT) Full text and rfc822 format available.

Reply sent to Ivan Kohler <ivan-debian@420.am>:
You have taken responsibility. (Mon, 11 Oct 2010 05:51:03 GMT) Full text and rfc822 format available.

Notification sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
Bug acknowledged by developer. (Mon, 11 Oct 2010 05:51:03 GMT) Full text and rfc822 format available.

Message #28 received at 599712-close@bugs.debian.org (full text, mbox):

From: Ivan Kohler <ivan-debian@420.am>
To: 599712-close@bugs.debian.org
Subject: Bug#599712: fixed in libapache-authenhook-perl 2.00-04+pristine-2
Date: Mon, 11 Oct 2010 05:47:06 +0000
Source: libapache-authenhook-perl
Source-Version: 2.00-04+pristine-2

We believe that the bug you reported is fixed in the latest version of
libapache-authenhook-perl, which is due to be installed in the Debian FTP archive:

libapache-authenhook-perl_2.00-04+pristine-2.diff.gz
  to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-2.diff.gz
libapache-authenhook-perl_2.00-04+pristine-2.dsc
  to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-2.dsc
libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb
  to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 599712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ivan Kohler <ivan-debian@420.am> (supplier of updated libapache-authenhook-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 10 Oct 2010 22:21:46 -0700
Source: libapache-authenhook-perl
Binary: libapache-authenhook-perl
Architecture: source amd64
Version: 2.00-04+pristine-2
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Ivan Kohler <ivan-debian@420.am>
Description: 
 libapache-authenhook-perl - Perl API for Apache 2.1 authentication
Closes: 599712
Changes: 
 libapache-authenhook-perl (2.00-04+pristine-2) unstable; urgency=low
 .
   [ gregor herrmann ]
   * debian/control: Changed: Switched Vcs-Browser field to ViewSVN
     (source stanza).
 .
   [ Ivan Kohler ]
   * Remove passwords from log messages (Closes: #599712)
   * Add myself to Uploaders:
Checksums-Sha1: 
 cf9f39ccb2325954d25cd746003bc32f311d16e9 1637 libapache-authenhook-perl_2.00-04+pristine-2.dsc
 5f32caba35cd4c95966ee8d553a12c5ac136e6fb 3053 libapache-authenhook-perl_2.00-04+pristine-2.diff.gz
 f8e6ef9224ec7cd4160afb638702940aa14e9d0b 16272 libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb
Checksums-Sha256: 
 a0a162c2cdd8a57ffca7b40f0b89c935ca49775ddbaee8c506b0593e9fc8669d 1637 libapache-authenhook-perl_2.00-04+pristine-2.dsc
 05e04764f0bdf22f84207d83dc7166fef6f5fc57f9364dfddeee0b94d279eaf5 3053 libapache-authenhook-perl_2.00-04+pristine-2.diff.gz
 9e3d2e4978868ee527e607acd78ae21e2436bb53dce1a70877ff76a687bd9fff 16272 libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb
Files: 
 d597300c97408461bd514f9656c85eb4 1637 perl optional libapache-authenhook-perl_2.00-04+pristine-2.dsc
 00d68dbf2421d1957961ccddcf92dceb 3053 perl optional libapache-authenhook-perl_2.00-04+pristine-2.diff.gz
 fa99813cec78414613d68883ef00b544 16272 perl optional libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyyotUACgkQgYcvm1TBwckLQwCfRnWc+24VStuGd5K8t1u5tXZn
2BwAnirwulqA9SzVASNALBxBjfYNlm1t
=Tkjf
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#599712; Package libapache-authenhook-perl. (Wed, 13 Oct 2010 11:33:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gerfried Fuchs <rhonda@deb.at>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Wed, 13 Oct 2010 11:33:08 GMT) Full text and rfc822 format available.

Message #33 received at 599712@bugs.debian.org (full text, mbox):

From: Gerfried Fuchs <rhonda@deb.at>
To: Ivan Kohler <ivan-debian@420.am>
Cc: 599712@bugs.debian.org
Subject: Re: Bug#599712: fixed in libapache-authenhook-perl 2.00-04+pristine-2
Date: Wed, 13 Oct 2010 13:29:30 +0200
        Hi!

* Ivan Kohler <ivan-debian@420.am> [2010-10-11 07:47:06 CEST]:
>    [ Ivan Kohler ]
>    * Remove passwords from log messages (Closes: #599712)
>    * Add myself to Uploaders:

 As the fix for this bug is a pretty small one it would be really good
when you are pushing the fix also into the stable release, the bug is
still outstanding for lenny.

 If you need help with that, please let me know.
Rhonda
-- 
https://flattr.com/thing/47066/Debian-BTS-cleaning-up




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#599712; Package libapache-authenhook-perl. (Wed, 13 Oct 2010 14:33:02 GMT) Full text and rfc822 format available.

Message #36 received at 599712@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@43-1.org>
To: team@security.debian.org
Cc: 599712@bugs.debian.org
Subject: Re: Bug#599712: libapache-authenhook-perl: leaks passwords to the logs
Date: Wed, 13 Oct 2010 16:30:26 +0200
[Message part 1 (text/plain, inline)]
Hi,

libapache-authenhook-perl logs passwords in Apache's error.log if the
log level is >= info[1].  I prepared an update for Lenny including the
same patch used for testing/unstable (already unblocked[2] as well).

Should this go through stable-security or does the security team see
this as a minor issue that should be fixed in the next point release?
In the former case, shall I upload a package based on the attached patch
to stable-security?

Regards,
Ansgar

[1] <http://bugs.debian.org/599712>
[2] <http://bugs.debian.org/599779>

[libapache-authenhook-perl-lenny.diff (text/x-diff, inline)]
Index: debian/changelog
===================================================================
--- debian/changelog	(revision 63673)
+++ debian/changelog	(working copy)
@@ -1,3 +1,9 @@
+libapache-authenhook-perl (2.00-04+pristine-1+lenny1) stable-security; urgency=high
+
+  * Remove passwords from log messages. (Closes: #599712)
+
+ -- Ansgar Burchardt <ansgar@debian.org>  Wed, 13 Oct 2010 15:36:05 +0200
+
 libapache-authenhook-perl (2.00-04+pristine-1) unstable; urgency=low
 
   [ gregor herrmann ]
Index: AuthenHook.xs
===================================================================
--- AuthenHook.xs	(revision 63673)
+++ AuthenHook.xs	(working copy)
@@ -180,8 +180,8 @@
 
     case OK:
       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "Apache::AuthenHook - user '%s', password '%s' verified",
-                    user, password);
+                    "Apache::AuthenHook - user '%s' verified",
+                    user);
 
       status = AUTH_GRANTED;
       break;
@@ -196,8 +196,8 @@
 
     default:
       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "Apache::AuthenHook - user '%s', password '%s' denied",
-                    user, password);
+                    "Apache::AuthenHook - user '%s' denied",
+                    user);
 
       status = AUTH_DENIED;
   };

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#599712; Package libapache-authenhook-perl. (Wed, 13 Oct 2010 14:33:04 GMT) Full text and rfc822 format available.

Message #39 received at 599712@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 599712@bugs.debian.org, 599712-submitter@bugs.debian.org
Subject: Bug in fixed in revision 63676
Date: Wed, 13 Oct 2010 14:31:17 +0000
tag 599712 + pending
thanks

Some bugs are closed in revision 63676
by Ansgar Burchardt (ansgar)

Commit message:

Remove passwords from log messages. (Closes: #599712)




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Wed, 13 Oct 2010 14:33:06 GMT) Full text and rfc822 format available.

Message sent on to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
Bug#599712. (Wed, 13 Oct 2010 14:33:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#599712; Package libapache-authenhook-perl. (Wed, 13 Oct 2010 17:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Wed, 13 Oct 2010 17:36:03 GMT) Full text and rfc822 format available.

Message #49 received at 599712@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Ansgar Burchardt <ansgar@43-1.org>
Cc: team@security.debian.org, 599712@bugs.debian.org
Subject: Re: Bug#599712: libapache-authenhook-perl: leaks passwords to the logs
Date: Wed, 13 Oct 2010 19:34:39 +0200
On Wed, Oct 13, 2010 at 04:30:26PM +0200, Ansgar Burchardt wrote:
> Hi,
> 
> libapache-authenhook-perl logs passwords in Apache's error.log if the
> log level is >= info[1].  I prepared an update for Lenny including the
> same patch used for testing/unstable (already unblocked[2] as well).
> 
> Should this go through stable-security or does the security team see
> this as a minor issue that should be fixed in the next point release?
> In the former case, shall I upload a package based on the attached patch
> to stable-security?

Since the impact is minor, please fix it through a point update.

I'll request a CVE ID for it and keep you CCed, maybe you can
hold off the upload for a few days until it's available? (The
next point update will take a few weeks anyway)

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#599712; Package libapache-authenhook-perl. (Wed, 13 Oct 2010 20:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Wed, 13 Oct 2010 20:45:06 GMT) Full text and rfc822 format available.

Message #54 received at 599712@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Ansgar Burchardt <ansgar@43-1.org>
Cc: team@security.debian.org, 599712@bugs.debian.org
Subject: Re: Bug#599712: libapache-authenhook-perl: leaks passwords to the logs
Date: Wed, 13 Oct 2010 22:40:59 +0200
On Wed, Oct 13, 2010 at 07:34:39PM +0200, Moritz Muehlenhoff wrote:
> On Wed, Oct 13, 2010 at 04:30:26PM +0200, Ansgar Burchardt wrote:
> > Hi,
> > 
> > libapache-authenhook-perl logs passwords in Apache's error.log if the
> > log level is >= info[1].  I prepared an update for Lenny including the
> > same patch used for testing/unstable (already unblocked[2] as well).
> > 
> > Should this go through stable-security or does the security team see
> > this as a minor issue that should be fixed in the next point release?
> > In the former case, shall I upload a package based on the attached patch
> > to stable-security?
> 
> Since the impact is minor, please fix it through a point update.
> 
> I'll request a CVE ID for it and keep you CCed, maybe you can
> hold off the upload for a few days until it's available? (The
> next point update will take a few weeks anyway)

CVE-2010-3845

Cheers,
         Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#599712; Package libapache-authenhook-perl. (Wed, 13 Oct 2010 21:06:06 GMT) Full text and rfc822 format available.

Message #57 received at 599712@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@43-1.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 599712@bugs.debian.org
Subject: Re: Bug#599712: libapache-authenhook-perl: leaks passwords to the logs
Date: Wed, 13 Oct 2010 23:04:04 +0200
Moritz Muehlenhoff <jmm@inutil.org> writes:

> On Wed, Oct 13, 2010 at 04:30:26PM +0200, Ansgar Burchardt wrote:
>> libapache-authenhook-perl logs passwords in Apache's error.log if the
>> log level is >= info[1].  I prepared an update for Lenny including the
>> same patch used for testing/unstable (already unblocked[2] as well).
>> 
>> Should this go through stable-security or does the security team see
>> this as a minor issue that should be fixed in the next point release?
>> In the former case, shall I upload a package based on the attached patch
>> to stable-security?
>
> Since the impact is minor, please fix it through a point update.
>
> I'll request a CVE ID for it and keep you CCed, maybe you can
> hold off the upload for a few days until it's available? (The
> next point update will take a few weeks anyway)

Sure.  I'll prepare an upload and contact the stable release team once I
get the CVE ID.

Regards,
Ansgar




Reply sent to Ansgar Burchardt <ansgar@debian.org>:
You have taken responsibility. (Sat, 23 Oct 2010 19:57:03 GMT) Full text and rfc822 format available.

Notification sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
Bug acknowledged by developer. (Sat, 23 Oct 2010 19:57:03 GMT) Full text and rfc822 format available.

Message #62 received at 599712-close@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@debian.org>
To: 599712-close@bugs.debian.org
Subject: Bug#599712: fixed in libapache-authenhook-perl 2.00-04+pristine-1+lenny1
Date: Sat, 23 Oct 2010 19:54:40 +0000
Source: libapache-authenhook-perl
Source-Version: 2.00-04+pristine-1+lenny1

We believe that the bug you reported is fixed in the latest version of
libapache-authenhook-perl, which is due to be installed in the Debian FTP archive:

libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
  to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
  to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
  to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 599712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ansgar Burchardt <ansgar@debian.org> (supplier of updated libapache-authenhook-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 13 Oct 2010 23:17:55 +0200
Source: libapache-authenhook-perl
Binary: libapache-authenhook-perl
Architecture: amd64 source
Version: 2.00-04+pristine-1+lenny1
Distribution: stable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Ansgar Burchardt <ansgar@debian.org>
Closes: 599712
Description: 
 libapache-authenhook-perl - Perl API for Apache 2.1 authentication
Changes: 
 libapache-authenhook-perl (2.00-04+pristine-1+lenny1) stable; urgency=high
 .
   * [CVE-2010-3845] Remove passwords from log messages. (Closes: #599712)
Checksums-Sha1: 
 5ef020e618d02fc7b45a30862e22e48e236b6df9 16362 libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
 10eee4c1e632c49b39f5ee899b52b94ddf3f98b6 2268 libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
 0a341963ba86764fecb2575dd1bd4500178bbc96 3000 libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
Checksums-Sha256: 
 b76e5f3330f6bb42db9bd2d00d42ef941a840845e344401b4a524fdbefd030bb 16362 libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
 3e772e37526356a8ea40071cde884de1b7ac7a9bbce5819bfad99e9a729a439b 2268 libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
 76a192fa1789e6a2c46ccb53dcd808e62ffced400e65589cdf3a15b7fc7a6836 3000 libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
Files: 
 9dc5c1aa03a91a3cb988c008311cf2d6 16362 perl optional libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
 13ab1e5b28b5e11e143ff878d77c7db2 2268 perl optional libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
 f842c1269f09956c92e0fc01b3faa881 3000 perl optional libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJMwhQpAAoJEIATJTTdNH3IMfwP/AnR+iaK4iclKtkUuUz3wNSB
xWLsfrLRqGtuVNefhlDT57DhNPBt4udRvLB1It7t/POADXEpTugWD74YhtHzoHoz
mcttC+tl3K1I2VNdMPpzXTrkORGUTno5m/xpXEgqPw9408Yy7cqE/4qLnEfNOvdW
DeDJxJzm9cbc3h2AjCEjZfUpotfs5FOJiAbszkeb0UlvNatwAcExYoS9ctbhKYlL
/lP+h3MKY5kWXl3izEDHCQ3kvkBnTkBot6Y/7OamG7KOSGmbnNXH4aw9o7yiLZqe
wn6SuLpy8qxta8eiNZc1q6SIfqP8wsJD9bESZGPxVP5qF/ZH5wK7aLFBKQk/NUtm
hGRTCP28fTl2JDqshMbfNYtIyMCrow5DawC/5iFWo9IrRIW4g6VHU0VVkn78vklt
efBAVtj5xokU/6mzgfpRXeCjG3MaZh5Hg59qdBAQuauhQ+tzkQzQG6akjj5UaAGW
68hDL73yyjqbAf4nRvKY8Dr5cGG6bOWsd7AVNYuymi64lGGdgzI7n08xRPaF7I6M
uhef2rVXkEeGvauhrBGpxzVkB52EjlTN4/AaH55UJ7tFNVwjZhfWCXgJXhKdUprC
wA41gcFaXTCdhATtxu9TpUeJW/fK4gkrfpJ6GXkFWPNKghUEFDG4cHqQSGAb2/5F
G7Qt4mMBmdH0bWNdjn15
=YOTC
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 28 Nov 2010 07:29:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 13:46:50 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.