| 2016-04-25 06:17:11 |
BCB |
bug |
|
|
added bug |
| 2016-04-25 23:34:34 |
Seth Arnold |
information type |
Private Security |
Public Security |
|
| 2016-04-26 01:48:42 |
Seth Arnold |
bug task added |
|
mysql-5.6 (Ubuntu) |
|
| 2016-04-26 01:49:05 |
Seth Arnold |
bug task added |
|
mysql-5.5 (Ubuntu) |
|
| 2016-04-26 01:51:21 |
Seth Arnold |
bug task added |
|
mariadb-5.5 (Ubuntu) |
|
| 2016-04-26 01:51:39 |
Seth Arnold |
bug task added |
|
mariadb-10.0 (Ubuntu) |
|
| 2016-04-26 05:46:00 |
Robie Basak |
bug |
|
|
added subscriber Lars Tangvald |
| 2016-04-29 11:42:56 |
Robie Basak |
mysql-5.7 (Ubuntu): assignee |
|
Lars Tangvald (lars-tangvald) |
|
| 2016-04-29 11:42:59 |
Robie Basak |
mysql-5.7 (Ubuntu): importance |
Undecided |
High |
|
| 2016-04-29 11:43:04 |
Robie Basak |
mysql-5.7 (Ubuntu): status |
New |
Triaged |
|
| 2016-04-29 12:01:36 |
Robie Basak |
mysql-5.7 (Ubuntu): milestone |
|
ubuntu-16.05 |
|
| 2016-05-04 10:31:34 |
Lars Tangvald |
mysql-5.7 (Ubuntu): status |
Triaged |
In Progress |
|
| 2016-07-13 14:18:55 |
Robie Basak |
mysql-5.7 (Ubuntu): status |
In Progress |
Fix Released |
|
| 2016-07-13 14:18:59 |
Robie Basak |
nominated for series |
|
Ubuntu Xenial |
|
| 2016-07-13 14:18:59 |
Robie Basak |
bug task added |
|
mysql-5.5 (Ubuntu Xenial) |
|
| 2016-07-13 14:18:59 |
Robie Basak |
bug task added |
|
mysql-5.6 (Ubuntu Xenial) |
|
| 2016-07-13 14:18:59 |
Robie Basak |
bug task added |
|
mariadb-5.5 (Ubuntu Xenial) |
|
| 2016-07-13 14:18:59 |
Robie Basak |
bug task added |
|
mariadb-10.0 (Ubuntu Xenial) |
|
| 2016-07-13 14:18:59 |
Robie Basak |
bug task added |
|
mysql-5.7 (Ubuntu Xenial) |
|
| 2016-07-13 14:19:10 |
Robie Basak |
mysql-5.7 (Ubuntu Xenial): status |
New |
In Progress |
|
| 2016-07-13 14:19:10 |
Robie Basak |
mysql-5.7 (Ubuntu Xenial): assignee |
|
Robie Basak (racb) |
|
| 2016-07-13 14:26:42 |
Robie Basak |
mysql-5.7 (Ubuntu Xenial): importance |
Undecided |
High |
|
| 2016-07-14 11:21:25 |
Robie Basak |
mysql-5.7 (Ubuntu Xenial): milestone |
|
xenial-updates |
|
| 2016-07-14 11:22:07 |
Robie Basak |
mysql-5.7 (Ubuntu Xenial): milestone |
xenial-updates |
ubuntu-16.04.1 |
|
| 2016-07-14 12:45:37 |
Lars Tangvald |
description |
Your automated bug reports are posting Logs.var.log.mysql.error.log.txt in clear text. These logs may contain PII as well as user credentials. |
MySQL has some logic for ensuring passwords aren't written to the logs, detailed at https://dev.mysql.com/doc/refman/5.7/en/password-logging.html (passwords are rewritten before they are logged). However, a failed grant statement is written unaltered to the error log, bypassing the password rewriting logic.
[Impact]
Ubuntu's bug reporting system will suggest uploading the error log to a bug report. This can lead to user credentials written in plain text in public bug reports.
[Test case]
(note/todo: I had a simpler test for this, but can't find the exact syntax for it)
* Add the following to the server config:
plugin-load=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
and restart the server
* Log in and run GRANT ALL ON *.* TO 'user'@'localhost' IDENTIFIED BY '123';
* Observe statement failing because it doesn't follow password validation rules
Expected behavior:
Password is scrambled or otherwise not written to the error log
Actual behavior:
The entire failed grant statement is written to the error log
[Regression Potential]
The fix replaces all lines in the log that contain any of the terms mentioned on the password-logging site, so it will rewrite more lines than strictly necessary, potentially making debugging harder.
[Original description]
Your automated bug reports are posting Logs.var.log.mysql.error.log.txt in clear text. These logs may contain PII as well as user credentials. |
|
| 2016-07-15 19:24:19 |
Adam Conrad |
mysql-5.7 (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2016-07-15 19:24:20 |
Adam Conrad |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2016-07-15 19:24:27 |
Adam Conrad |
bug |
|
|
added subscriber SRU Verification |
| 2016-07-15 19:24:31 |
Adam Conrad |
tags |
|
verification-needed |
|
| 2016-07-20 12:51:04 |
Christian Ehrhardt |
tags |
verification-needed |
verification-done |
|
| 2016-07-20 13:09:35 |
Robie Basak |
description |
MySQL has some logic for ensuring passwords aren't written to the logs, detailed at https://dev.mysql.com/doc/refman/5.7/en/password-logging.html (passwords are rewritten before they are logged). However, a failed grant statement is written unaltered to the error log, bypassing the password rewriting logic.
[Impact]
Ubuntu's bug reporting system will suggest uploading the error log to a bug report. This can lead to user credentials written in plain text in public bug reports.
[Test case]
(note/todo: I had a simpler test for this, but can't find the exact syntax for it)
* Add the following to the server config:
plugin-load=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
and restart the server
* Log in and run GRANT ALL ON *.* TO 'user'@'localhost' IDENTIFIED BY '123';
* Observe statement failing because it doesn't follow password validation rules
Expected behavior:
Password is scrambled or otherwise not written to the error log
Actual behavior:
The entire failed grant statement is written to the error log
[Regression Potential]
The fix replaces all lines in the log that contain any of the terms mentioned on the password-logging site, so it will rewrite more lines than strictly necessary, potentially making debugging harder.
[Original description]
Your automated bug reports are posting Logs.var.log.mysql.error.log.txt in clear text. These logs may contain PII as well as user credentials. |
MySQL has some logic for ensuring passwords aren't written to the logs, detailed at https://dev.mysql.com/doc/refman/5.7/en/password-logging.html (passwords are rewritten before they are logged). However, a failed grant statement is written unaltered to the error log, bypassing the password rewriting logic.
[Impact]
Ubuntu's bug reporting system will suggest uploading the error log to a bug report. This can lead to user credentials written in plain text in public bug reports.
[Test case]
(note/todo: I had a simpler test for this, but can't find the exact syntax for it)
* Add the following to the server config:
plugin-load=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
and restart the server
* Log in and run GRANT ALL ON *.* TO 'user'@'localhost' IDENTIFIED BY '123';
* Observe statement failing because it doesn't follow password validation rules
* Run "ubuntu-bug mysql-server"
* Choose "View Report"
* Search for "123"
Expected behavior:
Password is scrambled or otherwise not written to the apport report
Actual behavior:
The entire failed grant statement is written to the apport report
[Regression Potential]
The fix replaces all lines in the log that contain any of the terms mentioned on the password-logging site, so it will rewrite more lines than strictly necessary, potentially making debugging harder.
[Original description]
Your automated bug reports are posting Logs.var.log.mysql.error.log.txt in clear text. These logs may contain PII as well as user credentials. |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
mysql-5.7 (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-3424 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-3459 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-3477 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-3486 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-3501 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-3518 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-3521 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-3588 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-3614 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-3615 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-5436 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-5437 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-5439 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-5440 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-5441 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-5442 |
|
| 2016-07-21 16:41:33 |
Launchpad Janitor |
cve linked |
|
2016-5443 |
|
| 2016-12-16 20:41:30 |
Joshua Powers |
bug |
|
|
added subscriber Ubuntu Server Team |
| 2017-06-07 15:33:19 |
Nish Aravamudan |
bug task deleted |
mysql-5.6 (Ubuntu Xenial) |
|
|
| 2017-06-07 15:34:25 |
Nish Aravamudan |
bug task deleted |
mysql-5.5 (Ubuntu Xenial) |
|
|
| 2017-06-07 15:35:01 |
Nish Aravamudan |
bug task deleted |
mariadb-5.5 (Ubuntu Xenial) |
|
|
| 2017-06-07 15:41:32 |
Nish Aravamudan |
nominated for series |
|
Ubuntu Trusty |
|
| 2017-06-07 15:41:32 |
Nish Aravamudan |
bug task added |
|
mysql-5.5 (Ubuntu Trusty) |
|
| 2017-06-07 15:41:32 |
Nish Aravamudan |
bug task added |
|
mysql-5.6 (Ubuntu Trusty) |
|
| 2017-06-07 15:41:32 |
Nish Aravamudan |
bug task added |
|
mariadb-5.5 (Ubuntu Trusty) |
|
| 2017-06-07 15:41:32 |
Nish Aravamudan |
bug task added |
|
mariadb-10.0 (Ubuntu Trusty) |
|
| 2017-06-07 15:41:32 |
Nish Aravamudan |
bug task added |
|
mysql-5.7 (Ubuntu Trusty) |
|
| 2017-06-07 15:41:40 |
Nish Aravamudan |
bug task deleted |
mysql-5.7 (Ubuntu Trusty) |
|
|
| 2017-06-07 15:42:07 |
Nish Aravamudan |
bug task deleted |
mariadb-10.0 (Ubuntu Trusty) |
|
|
| 2017-06-07 15:43:20 |
Nish Aravamudan |
mysql-5.6 (Ubuntu): status |
New |
Invalid |
|
| 2017-06-07 15:43:31 |
Nish Aravamudan |
mysql-5.5 (Ubuntu): status |
New |
Invalid |
|
| 2017-06-07 15:43:42 |
Nish Aravamudan |
mariadb-5.5 (Ubuntu): status |
New |
Invalid |
|
| 2017-06-07 15:52:25 |
Nish Aravamudan |
mysql-5.6 (Ubuntu Trusty): status |
New |
Invalid |
|
| 2017-06-07 15:52:38 |
Nish Aravamudan |
mariadb-10.0 (Ubuntu): status |
New |
Invalid |
|
| 2017-06-07 15:52:49 |
Nish Aravamudan |
bug task added |
|
mariadb-10.1 (Ubuntu) |
|
| 2017-06-07 15:56:05 |
Nish Aravamudan |
mariadb-10.0 (Ubuntu Xenial): status |
New |
Confirmed |
|
| 2017-06-07 15:56:56 |
Nish Aravamudan |
mariadb-10.1 (Ubuntu): status |
New |
Confirmed |
|
| 2017-06-07 15:59:02 |
Nish Aravamudan |
mysql-5.5 (Ubuntu Trusty): status |
New |
Confirmed |
|
| 2017-06-07 15:59:12 |
Nish Aravamudan |
mariadb-5.5 (Ubuntu Trusty): status |
New |
Confirmed |
|
| 2021-02-19 11:03:57 |
Christian Ehrhardt |
removed subscriber Ubuntu Server |
|
|
|
