update-manager leaks passwords to private PPAs in world readable log files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
update-manager (Ubuntu) |
Fix Released
|
High
|
Michael Vogt | ||
Oneiric |
Fix Released
|
High
|
Michael Vogt |
Bug Description
update-manager puts passwords to private PPA in world readable log
files, c.f.
| sdfsdsd@tuna:~$ grep -r private-ppa /var/log/
| /var/log/
| /var/log/
| sdfsdsd@tuna:~$ groups
| sdfsdsd
| sdfsdsd@tuna:~$
Obviously, this is bad for any system that has more than one user.
security vulnerability: | no → yes |
Changed in update-manager (Ubuntu Oneiric): | |
importance: | Undecided → Medium |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
status: | New → Confirmed |
Changed in update-manager (Ubuntu Oneiric): | |
assignee: | Canonical Foundations Team (canonical-foundations) → Michael Vogt (mvo) |
importance: | Medium → High |
tags: | added: rls-mgr-o-tracking |
Changed in update-manager (Ubuntu Oneiric): | |
milestone: | none → oneiric-updates |
Changed in update-manager (Ubuntu Oneiric): | |
status: | Confirmed → In Progress |
Changed in update-manager (Ubuntu Oneiric): | |
status: | In Progress → Fix Committed |
This bug was fixed in the package update-manager - 1:0.152.20
---------------
update-manager (1:0.152.20) oneiric; urgency=low
* DistUpgrade/ DistUpgradeQuir ks.py: DistUpgradeCont roller. py, UpdateManager/ Core/utils. py: UpdateManager. py: DistUpgradeFetc her.py: backend/ InstallBackendA ptdaemon. py:
- increase the default cache size on a multiarch system to
avoid potential crash in natty apt (LP: #854090)
* DistUpgrade/
- do not leak password from sources.list entries into the logfile
(LP: #839094)
* UpdateManager/
- do not crash if a package can not be put into "install" state,
instead, just keep the old (unmarked) state (LP: #850482)
* UpdateManager/
- fix crash for changed gtk2 -> gtk3 API (LP: #859862)
* UpdateManager/
- remove debug output (LP: #855495)
-- Michael Vogt <email address hidden> Fri, 30 Sep 2011 16:09:55 +0200