reportbug includes sensitive information in report

Automatically imported from Debian bug report #295853 http://bugs.debian.org/295853

Message-Id: <email address hidden>
Date: Fri, 18 Feb 2005 15:50:14 +0100
From: Rolf Leggewie <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: reportbug includes sensitive information in report

Package: reportbug
Version: 3.2
Severity: grave
Tags: security
Justification: user security hole

Hi Chris,

as a follow-up to 295407 which you managed to fix in a whirl-wind
(kudos!), I'd like to say that reportbug still includes sensitive
information in a default report against reportbug (see the XXX below).
There might be other things it includes from .reportbugrc which are not
really meant to be stored in a publicly accessible BTS.

Best regards

Rolf Leggewie

-- Package-specific info:
** /home/leggewie/.reportbugrc:
reportbug_version "3.2"
mode standard
ui text
realname "Rolf Leggewie"
email "<email address hidden>"
smtphost "postman.arcor.de"
smtpuser "XXX"
smtppasswd "XXX"

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-1-586tsc
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages reportbug depends on:
ii python2.3 2.3.4-19 An interactive high-level object-o

-- no debconf information

Message-ID: <email address hidden>
Date: Fri, 18 Feb 2005 13:20:06 -0600
From: Chris Lawrence <email address hidden>
To: Rolf Leggewie <email address hidden>, <email address hidden>
Subject: Re: Bug#295853: reportbug includes sensitive information in report

These things are all fixed in unstable (version 3.8); I will see if
the release team will accept 3.8 into testing.

On Fri, 18 Feb 2005 15:50:14 +0100, Rolf Leggewie
<email address hidden> wrote:
> Package: reportbug
> Version: 3.2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi Chris,
>
> as a follow-up to 295407 which you managed to fix in a whirl-wind
> (kudos!), I'd like to say that reportbug still includes sensitive
> information in a default report against reportbug (see the XXX below).
> There might be other things it includes from .reportbugrc which are not
> really meant to be stored in a publicly accessible BTS.
>
> Best regards
>
> Rolf Leggewie
>
> -- Package-specific info:
> ** /home/leggewie/.reportbugrc:
> reportbug_version "3.2"
> mode standard
> ui text
> realname "Rolf Leggewie"
> email "<email address hidden>"
> smtphost "postman.arcor.de"
> smtpuser "XXX"
> smtppasswd "XXX"
>
> -- System Information:
> Debian Release: 3.1
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: i386 (i686)
> Kernel: Linux 2.4.27-1-586tsc
> Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
>
> Versions of packages reportbug depends on:
> ii python2.3 2.3.4-19 An interactive high-level object-o
>
> -- no debconf information
>
>

--
Chris Lawrence - http://blog.lordsutch.com/

Message-ID: <email address hidden>
Date: Fri, 18 Feb 2005 13:38:48 -0600
From: Chris Lawrence <email address hidden>
To: <email address hidden>
Subject: tag

tag 295853 +sarge
thanks
--
Chris Lawrence <email address hidden> - http://blog.lordsutch.com/

Message-Id: <email address hidden>
Date: Sat, 19 Feb 2005 17:01:29 +0100
From: Rolf Leggewie <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: reportbug: Well done!

Package: reportbug
Version: 3.2
Followup-For: Bug #295853

Chris, good to hear. From the Changelog I got the impression that this
issue still had not been addressed.

Message-ID: <email address hidden>
Date: Sat, 19 Feb 2005 15:51:23 -0600
From: Chris Lawrence <email address hidden>
To: <email address hidden>
Subject: Re: Bug#295853: reportbug: Well done!

On Sat, 19 Feb 2005 17:01:29 +0100, Rolf Leggewie
<email address hidden> wrote:
> Chris, good to hear. From the Changelog I got the impression that this
> issue still had not been addressed.

3.8 is installed in sarge as of today; closing this report.

CNL
--
Chris Lawrence - http://blog.lordsutch.com/

Already fixed in Hoary, fixed Warty in USN-88-1.

Message-ID: <email address hidden>
Date: Wed, 2 Mar 2005 17:38:48 +0900
From: Horms <email address hidden>
To: <email address hidden>
Subject: reportbug includes sensitive information in report

Should this bug be closed. The log against the bug suggests it should
be, but it seems to still be open.

--
Horms

Message-ID: <20050302133506.GB26791@andromeda>
Date: Wed, 2 Mar 2005 08:35:06 -0500
From: Justin Pryzby <email address hidden>
To: Horms <email address hidden>, <email address hidden>
Subject: Re: Bug#295853: reportbug includes sensitive information in report

Its closed; Chris's message on Feb 19 was to:
<email address hidden>, which caused it to be marked as "Done".
See also the "done" tag, up top.

Justin

On Wed, Mar 02, 2005 at 05:38:48PM +0900, Horms wrote:
> Should this bug be closed. The log against the bug suggests it should
> be, but it seems to still be open.

Message-ID: <email address hidden>
Date: Fri, 4 Mar 2005 13:49:39 +0900
From: Horms <email address hidden>
To: Justin Pryzby <email address hidden>
Cc: Horms <email address hidden>, <email address hidden>
Subject: Re: Bug#295853: reportbug includes sensitive information in report

On Wed, Mar 02, 2005 at 08:35:06AM -0500, Justin Pryzby wrote:
> Its closed; Chris's message on Feb 19 was to:
> <email address hidden>, which caused it to be marked as "Done".
> See also the "done" tag, up top.

Sorry for the noise, I must have been half asleep when I read it.

--
Horms