Description of problem:
Password to unlock certificate is logged to /var/log/messages
May 29 19:46:42 localhost NetworkManager: destroy_one_secret: destroying ********
Version-Release number of selected component (if applicable):
I would love to have the option to type the password at connection time instead of it being stored, but adding the password to the system log is wrong
I can't find any related source code which could print'destroy_one_secret: destroying'
The CVE identifier of CVE-2011-1943 has been assigned to this issue:
Created NetworkManager-openvpn tracking bugs for this issue
Affects: fedora-all [bug 709798]
Affects: epel-all [bug 709799]
(In reply to comment #1)
> I can't find any related source code which could print'destroy_one_secret:
Run nm-connection-editor from console, and try to change a password, a message like the one in the log file is shown every time you add a something to the password
** Message: destroy_one_secret: destroying asasdasdasdasd
** Message: destroy_one_secret: destroying asasdasdasdasda
** Message: destroy_one_secret: destroying asasdasdasdasdas
Probably both messages are related
*** Bug 709733 has been marked as a duplicate of this bug. ***
This is not a NetworkManager-openvpn issue, the flaw lies in the libnm-util library which is shipped with the NetworkManager package.
The flaw was introduced in the following commit (on 21st May 2011):
and removed in the following commit (on 27th May 2011):
This issue does not affect the version of NetworkManager shipped in Fedora 13 or Fedora 14.
This issue has been addressed in the following update for Fedora 15:
Not vulnerable. This issue did not affect the versions of NetworkManager as
shipped with Red Hat Enterprise Linux 4, 5, or 6.
*** Bug 708583 has been marked as a duplicate of this bug. ***