Activity log for bug #1574458

Date Who What changed Old value New value Message
2016-04-25 06:17:11 BCB bug added bug
2016-04-25 23:34:34 Seth Arnold information type Private Security Public Security
2016-04-26 01:48:42 Seth Arnold bug task added mysql-5.6 (Ubuntu)
2016-04-26 01:49:05 Seth Arnold bug task added mysql-5.5 (Ubuntu)
2016-04-26 01:51:21 Seth Arnold bug task added mariadb-5.5 (Ubuntu)
2016-04-26 01:51:39 Seth Arnold bug task added mariadb-10.0 (Ubuntu)
2016-04-26 05:46:00 Robie Basak bug added subscriber Lars Tangvald
2016-04-29 11:42:56 Robie Basak mysql-5.7 (Ubuntu): assignee Lars Tangvald (lars-tangvald)
2016-04-29 11:42:59 Robie Basak mysql-5.7 (Ubuntu): importance Undecided High
2016-04-29 11:43:04 Robie Basak mysql-5.7 (Ubuntu): status New Triaged
2016-04-29 12:01:36 Robie Basak mysql-5.7 (Ubuntu): milestone ubuntu-16.05
2016-05-04 10:31:34 Lars Tangvald mysql-5.7 (Ubuntu): status Triaged In Progress
2016-07-13 14:18:55 Robie Basak mysql-5.7 (Ubuntu): status In Progress Fix Released
2016-07-13 14:18:59 Robie Basak nominated for series Ubuntu Xenial
2016-07-13 14:18:59 Robie Basak bug task added mysql-5.5 (Ubuntu Xenial)
2016-07-13 14:18:59 Robie Basak bug task added mysql-5.6 (Ubuntu Xenial)
2016-07-13 14:18:59 Robie Basak bug task added mariadb-5.5 (Ubuntu Xenial)
2016-07-13 14:18:59 Robie Basak bug task added mariadb-10.0 (Ubuntu Xenial)
2016-07-13 14:18:59 Robie Basak bug task added mysql-5.7 (Ubuntu Xenial)
2016-07-13 14:19:10 Robie Basak mysql-5.7 (Ubuntu Xenial): status New In Progress
2016-07-13 14:19:10 Robie Basak mysql-5.7 (Ubuntu Xenial): assignee Robie Basak (racb)
2016-07-13 14:26:42 Robie Basak mysql-5.7 (Ubuntu Xenial): importance Undecided High
2016-07-14 11:21:25 Robie Basak mysql-5.7 (Ubuntu Xenial): milestone xenial-updates
2016-07-14 11:22:07 Robie Basak mysql-5.7 (Ubuntu Xenial): milestone xenial-updates ubuntu-16.04.1
2016-07-14 12:45:37 Lars Tangvald description Your automated bug reports are posting Logs.var.log.mysql.error.log.txt in clear text. These logs may contain PII as well as user credentials. MySQL has some logic for ensuring passwords aren't written to the logs, detailed at https://dev.mysql.com/doc/refman/5.7/en/password-logging.html (passwords are rewritten before they are logged). However, a failed grant statement is written unaltered to the error log, bypassing the password rewriting logic. [Impact] Ubuntu's bug reporting system will suggest uploading the error log to a bug report. This can lead to user credentials written in plain text in public bug reports. [Test case] (note/todo: I had a simpler test for this, but can't find the exact syntax for it) * Add the following to the server config: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT and restart the server * Log in and run GRANT ALL ON *.* TO 'user'@'localhost' IDENTIFIED BY '123'; * Observe statement failing because it doesn't follow password validation rules Expected behavior: Password is scrambled or otherwise not written to the error log Actual behavior: The entire failed grant statement is written to the error log [Regression Potential] The fix replaces all lines in the log that contain any of the terms mentioned on the password-logging site, so it will rewrite more lines than strictly necessary, potentially making debugging harder. [Original description] Your automated bug reports are posting Logs.var.log.mysql.error.log.txt in clear text. These logs may contain PII as well as user credentials.
2016-07-15 19:24:19 Adam Conrad mysql-5.7 (Ubuntu Xenial): status In Progress Fix Committed
2016-07-15 19:24:20 Adam Conrad bug added subscriber Ubuntu Stable Release Updates Team
2016-07-15 19:24:27 Adam Conrad bug added subscriber SRU Verification
2016-07-15 19:24:31 Adam Conrad tags verification-needed
2016-07-20 12:51:04 Christian Ehrhardt  tags verification-needed verification-done
2016-07-20 13:09:35 Robie Basak description MySQL has some logic for ensuring passwords aren't written to the logs, detailed at https://dev.mysql.com/doc/refman/5.7/en/password-logging.html (passwords are rewritten before they are logged). However, a failed grant statement is written unaltered to the error log, bypassing the password rewriting logic. [Impact] Ubuntu's bug reporting system will suggest uploading the error log to a bug report. This can lead to user credentials written in plain text in public bug reports. [Test case] (note/todo: I had a simpler test for this, but can't find the exact syntax for it) * Add the following to the server config: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT and restart the server * Log in and run GRANT ALL ON *.* TO 'user'@'localhost' IDENTIFIED BY '123'; * Observe statement failing because it doesn't follow password validation rules Expected behavior: Password is scrambled or otherwise not written to the error log Actual behavior: The entire failed grant statement is written to the error log [Regression Potential] The fix replaces all lines in the log that contain any of the terms mentioned on the password-logging site, so it will rewrite more lines than strictly necessary, potentially making debugging harder. [Original description] Your automated bug reports are posting Logs.var.log.mysql.error.log.txt in clear text. These logs may contain PII as well as user credentials. MySQL has some logic for ensuring passwords aren't written to the logs, detailed at https://dev.mysql.com/doc/refman/5.7/en/password-logging.html (passwords are rewritten before they are logged). However, a failed grant statement is written unaltered to the error log, bypassing the password rewriting logic. [Impact] Ubuntu's bug reporting system will suggest uploading the error log to a bug report. This can lead to user credentials written in plain text in public bug reports. [Test case] (note/todo: I had a simpler test for this, but can't find the exact syntax for it) * Add the following to the server config: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT and restart the server * Log in and run GRANT ALL ON *.* TO 'user'@'localhost' IDENTIFIED BY '123'; * Observe statement failing because it doesn't follow password validation rules * Run "ubuntu-bug mysql-server" * Choose "View Report" * Search for "123" Expected behavior: Password is scrambled or otherwise not written to the apport report Actual behavior: The entire failed grant statement is written to the apport report [Regression Potential] The fix replaces all lines in the log that contain any of the terms mentioned on the password-logging site, so it will rewrite more lines than strictly necessary, potentially making debugging harder. [Original description] Your automated bug reports are posting Logs.var.log.mysql.error.log.txt in clear text. These logs may contain PII as well as user credentials.
2016-07-21 16:41:33 Launchpad Janitor mysql-5.7 (Ubuntu Xenial): status Fix Committed Fix Released
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-3424
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-3459
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-3477
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-3486
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-3501
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-3518
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-3521
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-3588
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-3614
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-3615
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-5436
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-5437
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-5439
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-5440
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-5441
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-5442
2016-07-21 16:41:33 Launchpad Janitor cve linked 2016-5443
2016-12-16 20:41:30 Joshua Powers bug added subscriber Ubuntu Server Team
2017-06-07 15:33:19 Nish Aravamudan bug task deleted mysql-5.6 (Ubuntu Xenial)
2017-06-07 15:34:25 Nish Aravamudan bug task deleted mysql-5.5 (Ubuntu Xenial)
2017-06-07 15:35:01 Nish Aravamudan bug task deleted mariadb-5.5 (Ubuntu Xenial)
2017-06-07 15:41:32 Nish Aravamudan nominated for series Ubuntu Trusty
2017-06-07 15:41:32 Nish Aravamudan bug task added mysql-5.5 (Ubuntu Trusty)
2017-06-07 15:41:32 Nish Aravamudan bug task added mysql-5.6 (Ubuntu Trusty)
2017-06-07 15:41:32 Nish Aravamudan bug task added mariadb-5.5 (Ubuntu Trusty)
2017-06-07 15:41:32 Nish Aravamudan bug task added mariadb-10.0 (Ubuntu Trusty)
2017-06-07 15:41:32 Nish Aravamudan bug task added mysql-5.7 (Ubuntu Trusty)
2017-06-07 15:41:40 Nish Aravamudan bug task deleted mysql-5.7 (Ubuntu Trusty)
2017-06-07 15:42:07 Nish Aravamudan bug task deleted mariadb-10.0 (Ubuntu Trusty)
2017-06-07 15:43:20 Nish Aravamudan mysql-5.6 (Ubuntu): status New Invalid
2017-06-07 15:43:31 Nish Aravamudan mysql-5.5 (Ubuntu): status New Invalid
2017-06-07 15:43:42 Nish Aravamudan mariadb-5.5 (Ubuntu): status New Invalid
2017-06-07 15:52:25 Nish Aravamudan mysql-5.6 (Ubuntu Trusty): status New Invalid
2017-06-07 15:52:38 Nish Aravamudan mariadb-10.0 (Ubuntu): status New Invalid
2017-06-07 15:52:49 Nish Aravamudan bug task added mariadb-10.1 (Ubuntu)
2017-06-07 15:56:05 Nish Aravamudan mariadb-10.0 (Ubuntu Xenial): status New Confirmed
2017-06-07 15:56:56 Nish Aravamudan mariadb-10.1 (Ubuntu): status New Confirmed
2017-06-07 15:59:02 Nish Aravamudan mysql-5.5 (Ubuntu Trusty): status New Confirmed
2017-06-07 15:59:12 Nish Aravamudan mariadb-5.5 (Ubuntu Trusty): status New Confirmed
2021-02-19 11:03:57 Christian Ehrhardt  removed subscriber Ubuntu Server