[Bug 1201962] New: Bootloader password leaked into_YaST logs - openSUSE Bugs - openSUSE Mailing Lists

newer
[Bug 1181458] systemd: don't...

[Bug 1201962] New: Bootloader password leaked into_YaST logs

older
[Bug 1127591] zypper option...

bugzilla_noreply＠suse.com

28 Jul 2022 28 Jul '22

14:14

https://bugzilla.suse.com/show_bug.cgi?id=1201962 Bug ID: 1201962 Summary: Bootloader password leaked into_YaST logs Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 Assignee: yast2-maintainers@suse.de Reporter: ancor@suse.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- In yast2-bootloader (even during system installation) if the option "Protect Boot Loader with Password" is used, YaST executes the command grub2-mkpasswd-pbkdf2 to generate the hashed password. Doing so, it leaks the typed password to the YaST logs. https://github.com/yast/yast-bootloader/blob/master/src/lib/bootloader/grub2... -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.htm (text/html — 2.5 KB)

Reply

Sign in to reply online Use email software

Show replies by date

bugzilla_noreply＠suse.com

28 Jul 28 Jul

14:22

New subject: [Bug 1201962] Bootloader password leaked into_YaST logs

https://bugzilla.suse.com/show_bug.cgi?id=1201962 David Diaz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED URL| |https://trello.com/c/wUIl9U | |da CC| |dgonzalez@suse.com Assignee|yast2-maintainers@suse.de |yast-internal@suse.de -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

5 Dec 5 Dec

10:28

New subject: [Bug 1201962] Bootloader password leaked into_YaST logs

https://bugzilla.suse.com/show_bug.cgi?id=1201962 https://bugzilla.suse.com/show_bug.cgi?id=1201962#c8 --- Comment #8 from Swamp Workflow Management --- SUSE-RU-2022:4314-1: An update that has 8 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1199746,1201235,1201435,1201962,1202479,1203866,1204448,1204559 CVE References: JIRA References: Sources used: openSUSE Leap 15.4 (src): autoyast2-4.4.41-150400.3.13.1, yast2-bootloader-4.4.18-150400.3.3.1, yast2-installation-4.4.57-150400.3.12.1, yast2-network-4.4.53-150400.3.10.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): autoyast2-4.4.41-150400.3.13.1, yast2-bootloader-4.4.18-150400.3.3.1, yast2-installation-4.4.57-150400.3.12.1, yast2-network-4.4.53-150400.3.10.1 SUSE Linux Enterprise Installer 15-SP4 (src): autoyast2-4.4.41-150400.3.13.1, yast2-installation-4.4.57-150400.3.12.1, yast2-network-4.4.53-150400.3.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

10:29

New subject: [Bug 1201962] Bootloader password leaked into_YaST logs

https://bugzilla.suse.com/show_bug.cgi?id=1201962 https://bugzilla.suse.com/show_bug.cgi?id=1201962#c9 --- Comment #9 from Swamp Workflow Management --- SUSE-RU-2022:4316-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1201962 CVE References: JIRA References: Sources used: SUSE Manager Server 4.1 (src): yast2-bootloader-4.2.29-150200.3.12.1 SUSE Manager Retail Branch Server 4.1 (src): yast2-bootloader-4.2.29-150200.3.12.1 SUSE Manager Proxy 4.1 (src): yast2-bootloader-4.2.29-150200.3.12.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): yast2-bootloader-4.2.29-150200.3.12.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): yast2-bootloader-4.2.29-150200.3.12.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): yast2-bootloader-4.2.29-150200.3.12.1 SUSE Linux Enterprise Installer 15-SP2 (src): yast2-bootloader-4.2.29-150200.3.12.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): yast2-bootloader-4.2.29-150200.3.12.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): yast2-bootloader-4.2.29-150200.3.12.1 SUSE Enterprise Storage 7 (src): yast2-bootloader-4.2.29-150200.3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

10:30

New subject: [Bug 1201962] Bootloader password leaked into_YaST logs

https://bugzilla.suse.com/show_bug.cgi?id=1201962 https://bugzilla.suse.com/show_bug.cgi?id=1201962#c10 --- Comment #10 from Swamp Workflow Management --- SUSE-RU-2022:4315-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1201962 CVE References: JIRA References: Sources used: openSUSE Leap 15.3 (src): yast2-bootloader-4.3.32-150300.3.11.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): yast2-bootloader-4.3.32-150300.3.11.1 SUSE Linux Enterprise Installer 15-SP3 (src): yast2-bootloader-4.3.32-150300.3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

10:31

New subject: [Bug 1201962] Bootloader password leaked into_YaST logs

https://bugzilla.suse.com/show_bug.cgi?id=1201962 https://bugzilla.suse.com/show_bug.cgi?id=1201962#c11 --- Comment #11 from Swamp Workflow Management --- SUSE-RU-2022:4317-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1201962 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): yast2-bootloader-4.1.27-150100.3.8.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): yast2-bootloader-4.1.27-150100.3.8.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): yast2-bootloader-4.1.27-150100.3.8.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): yast2-bootloader-4.1.27-150100.3.8.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): yast2-bootloader-4.1.27-150100.3.8.1 SUSE Enterprise Storage 6 (src): yast2-bootloader-4.1.27-150100.3.8.1 SUSE CaaS Platform 4.0 (src): yast2-bootloader-4.1.27-150100.3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

23 Mar 23 Mar

10:44

New subject: [Bug 1201962] Bootloader password leaked into_YaST logs

https://bugzilla.suse.com/show_bug.cgi?id=1201962 https://bugzilla.suse.com/show_bug.cgi?id=1201962#c12 Johannes Segitz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED Flags|needinfo?(security-team@sus | |e.de) | --- Comment #12 from Johannes Segitz --- fixed -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

400

Age (days ago)

638

Last active (days ago)

Download

6 comments

1 participants

tags

participants (1)

bugzilla_noreply＠suse.com