group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1574458] Re: Logs.var.log.mysql.error.log.txt contains usernames and passwords

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1574458@xxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Jul 2016 16:41:33 -0000
Reply-to: Bug 1574458 <1574458@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package mysql-5.7 - 5.7.13-0ubuntu0.16.04.2

---------------
mysql-5.7 (5.7.13-0ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Update to 5.7.13 to fix security issues (LP: #1604796)
    - http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
    - CVE-2016-3424
    - CVE-2016-3459
    - CVE-2016-3477
    - CVE-2016-3486
    - CVE-2016-3501
    - CVE-2016-3518
    - CVE-2016-3521
    - CVE-2016-3588
    - CVE-2016-3614
    - CVE-2016-3615
    - CVE-2016-5436
    - CVE-2016-5437
    - CVE-2016-5439
    - CVE-2016-5440
    - CVE-2016-5441
    - CVE-2016-5442
    - CVE-2016-5443
  * debian/patches/mysql-export-scramble.patch: removed, upstream.

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Wed, 20 Jul 2016
08:44:25 -0400

** Changed in: mysql-5.7 (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3424

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3459

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3477

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3486

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3501

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3518

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3521

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3588

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3614

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3615

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5436

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5437

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5439

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5440

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5441

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5442

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5443

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1574458

Title:
  Logs.var.log.mysql.error.log.txt  contains usernames and passwords

Status in mariadb-10.0 package in Ubuntu:
  New
Status in mariadb-5.5 package in Ubuntu:
  New
Status in mysql-5.5 package in Ubuntu:
  New
Status in mysql-5.6 package in Ubuntu:
  New
Status in mysql-5.7 package in Ubuntu:
  Fix Released
Status in mariadb-10.0 source package in Xenial:
  New
Status in mariadb-5.5 source package in Xenial:
  New
Status in mysql-5.5 source package in Xenial:
  New
Status in mysql-5.6 source package in Xenial:
  New
Status in mysql-5.7 source package in Xenial:
  Fix Released

Bug description:
  MySQL has some logic for ensuring passwords aren't written to the
  logs, detailed at https://dev.mysql.com/doc/refman/5.7/en/password-
  logging.html (passwords are rewritten before they are logged).
  However, a failed grant statement is written unaltered to the error
  log, bypassing the password rewriting logic.

  [Impact]
  Ubuntu's bug reporting system will suggest uploading the error log to a bug report. This can lead to user credentials written in plain text in public bug reports.

  [Test case]
  (note/todo: I had a simpler test for this, but can't find the exact syntax for it)
  * Add the following to the server config:
  plugin-load=validate_password.so
  validate-password=FORCE_PLUS_PERMANENT
  and restart the server
  * Log in and run GRANT ALL ON *.* TO 'user'@'localhost' IDENTIFIED BY '123';
  * Observe statement failing because it doesn't follow password validation rules
  * Run "ubuntu-bug mysql-server"
  * Choose "View Report"
  * Search for "123"

  Expected behavior:
  Password is scrambled or otherwise not written to the apport report

  Actual behavior:
  The entire failed grant statement is written to the apport report

  [Regression Potential]
  The fix replaces all lines in the log that contain any of the terms mentioned on the password-logging site, so it will rewrite more lines than strictly necessary, potentially making debugging harder.

  [Original description]
  Your automated bug reports are posting Logs.var.log.mysql.error.log.txt  in clear text.  These logs may contain PII as well as user credentials.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1574458/+subscriptions