When dscreate is executed in verbose mode, it prints Directory Manager's password to stderr. The same happens with dsconf when I change the password. Version-Release number of selected component (if applicable): 389-ds-base-1.4.0.19-2. How reproducible: always Steps to Reproduce: 1. dscreate -v interactive 2. dsconf -v localhost directory_manager password_change Actual results: # dscreate -v interactive ... DEBUG: cn=config set REPLACE: ('nsslapd-rootpw', 'Directory_Manager_Password') # dsconf -v localhost directory_manager password_change ... Enter new directory manager password : CONFIRM - Enter new directory manager password : DEBUG: cn=config set REPLACE: ('nsslapd-rootpw', 'new_password') Expected results: Actual value should not be printed in the debug logs. Python logging module supports filters that should be used to redact sensitive information from the logs Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1654059
Created 389-ds-base tracking bugs for this issue: Affects: fedora-all [bug 1677148]
Upstream fix : https://pagure.io/389-ds-base/c/632ecb90d96ac0535656f5aaf67fd2be4b81d310
External References: https://pagure.io/389-ds-base/issue/50251
Acknowledgments: Name: Viktor Ashirov (Red Hat)
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3401 https://access.redhat.com/errata/RHSA-2019:3401
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10224