Description of problem: Password to unlock certificate is logged to /var/log/messages May 29 19:46:42 localhost NetworkManager[4791]: destroy_one_secret: destroying ******** Version-Release number of selected component (if applicable): NetworkManager-openvpn-0.8.999-1.fc15.x86_64 Additional info: I would love to have the option to type the password at connection time instead of it being stored, but adding the password to the system log is wrong
Robert, I can't find any related source code which could print'destroy_one_secret: destroying'
The CVE identifier of CVE-2011-1943 has been assigned to this issue: [1] http://www.openwall.com/lists/oss-security/2011/05/31/7
Created NetworkManager-openvpn tracking bugs for this issue Affects: fedora-all [bug 709798] Affects: epel-all [bug 709799]
(In reply to comment #1) > Robert, > > I can't find any related source code which could print'destroy_one_secret: > destroying' Run nm-connection-editor from console, and try to change a password, a message like the one in the log file is shown every time you add a something to the password ** Message: destroy_one_secret: destroying asasdasdasdasd ** Message: destroy_one_secret: destroying asasdasdasdasda ** Message: destroy_one_secret: destroying asasdasdasdasdas Probably both messages are related
*** Bug 709733 has been marked as a duplicate of this bug. ***
This is not a NetworkManager-openvpn issue, the flaw lies in the libnm-util library which is shipped with the NetworkManager package. The flaw was introduced in the following commit (on 21st May 2011): http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=ef71c5cca1f43b09fe90e52950a176bb4cee2ab2 and removed in the following commit (on 27th May 2011): http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=78ce088843d59d4494965bfc40b30a2e63d065f6 This issue does not affect the version of NetworkManager shipped in Fedora 13 or Fedora 14. This issue has been addressed in the following update for Fedora 15: https://admin.fedoraproject.org/updates/NetworkManager-0.8.9997-1.git20110531.fc15
Statement: Not vulnerable. This issue did not affect the versions of NetworkManager as shipped with Red Hat Enterprise Linux 4, 5, or 6.
Huzaifa, Cool!! Thanks!
*** Bug 708583 has been marked as a duplicate of this bug. ***
https://admin.fedoraproject.org/updates/NetworkManager-0.8.9997-2.git20110531.fc15