Bugzilla – Bug 1146088
VUL-0: CVE-2019-10224: 389-ds: 389-ds-base: using dscreate in verbose mode results in information disclosure
Last modified: 2019-08-19 08:14:41 UTC
CVE-2019-10224 When dscreate is executed in verbose mode, it prints Directory Manager's password to stderr. The same happens with dsconf when I change the password. Version-Release number of selected component (if applicable): 389-ds-base-1.4.0.19-2. How reproducible: always Steps to Reproduce: 1. dscreate -v interactive 2. dsconf -v localhost directory_manager password_change Actual results: # dscreate -v interactive ... DEBUG: cn=config set REPLACE: ('nsslapd-rootpw', 'Directory_Manager_Password') # dsconf -v localhost directory_manager password_change ... Enter new directory manager password : CONFIRM - Enter new directory manager password : DEBUG: cn=config set REPLACE: ('nsslapd-rootpw', 'new_password') Expected results: Actual value should not be printed in the debug logs. Python logging module supports filters that should be used to redact sensitive information from the logs Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1654059 References: https://bugzilla.redhat.com/show_bug.cgi?id=1677147 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10224 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10224.html
already fixed in 1.4.0.23 included in the changes file as: Ticket 50251