Bug 456210

Summary: Plaintext passwords in web_customer.password
Product: [Community] Spacewalk Reporter: Jan Pazdziora <jpazdziora>
Component: ServerAssignee: Jan Pazdziora <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: low Docs Contact:
Priority: low    
Version: 0.1CC: dgoodwin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-17 06:59:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 456550    

Description Jan Pazdziora 2008-07-22 08:54:10 UTC 
When you create a new organization in RHN Satellite v5.1.0, the 
administrator password is stored in plain text into the web_customer 
table.

That field isn't even used, we should drop the column from our DB entirely.

In Spacewalk 0.1, the Java code does not pass in a password to the call to the
stored proc: create_new_org. But the database column is still there.

This is related to Satellite's bug 450038 and bug 453664.
Comment 1 Jan Pazdziora 2008-07-22 09:00:30 UTC 
Fix committed: a6a0b3864af0ccd52dcaae121bf070a36d8f6a1a.
Comment 2 Jan Pazdziora 2008-07-22 10:25:08 UTC 
Plus fix: cd62f73a778af286132e27b6ff41377ab1618327
Comment 3 Devan Goodwin 2008-09-05 14:43:33 UTC 
SQL> desc web_customer;

 Name                                      Null?    Type

 ----------------------------------------- -------- ----------------------------

 ID                                        NOT NULL NUMBER

 NAME                                      NOT NULL VARCHAR2(128)

 ORACLE_CUSTOMER_ID                                 NUMBER

 ORACLE_CUSTOMER_NUMBER                             NUMBER

 CUSTOMER_TYPE                             NOT NULL CHAR(1)

 CREDIT_APPLICATION_COMPLETED                       VARCHAR2(1)

 CREATED                                   NOT NULL DATE

 MODIFIED                                  NOT NULL DATE



SQL> 



Verified against spacewalk 0.2.
Comment 4 Miroslav Suchý 2009-09-17 06:59:35 UTC 
Spacewalk is released for long time.