Date: Wed, 12 Aug 2015 02:25:10 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 202262] sysutils/froxlor: database password information leak (CVE-2015-5959) Message-ID: <bug-202262-13-l1EOoAjS2k@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-202262-13@https.bugs.freebsd.org/bugzilla/> References: <bug-202262-13@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202262 --- Comment #1 from Jason Unovitch <junovitch@freebsd.org> --- Looking at this: https://forum.froxlor.org/index.php/topic/13054-important-bugfix-release-09332/ And a small quote for this... >>actually this fix is missing the removal of the compromised logfiles, otherwise it fixes future logging of passwords, but not the access to the logfile that has been compromised. >Sorry, as i was pushed to do a release it just got lost in the hurry...removing all .log files from the directory should do the job, alternatively just use the class.ConfigIO.php from Github (https://github.com/F...ss.ConfigIO.php) I believe we should factor into our VuXML or pkg-message that old logs may still contain their database password. I intend to research that a bit closer and provide a recommendation. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-202262-13-l1EOoAjS2k>