bschmalhofer
commented
2 weeks ago Backporting has been done. The next step is to run the test suite in the the relevant branches.
Also, debug log is now activated by setting a lexical variable. So anybody who wants to change the logging must have access to the source code.
This was brought to attention in https://www.heise.de/forum/heise-online/Kommentare/Ticketsystem-OTRS-Angreifer-koennen-unverschluesselte-Passwoerter-einsehen/forum-546448/comment/.
Plain text passwords can be logged when passwords are stored in plain text in the database and when authentication debug logging is activated by changing the source code. This means that inadvertedly activating debug logging is not likely.
Nevertheless, logging plain text passwords can be safeguarded in a stricter way. @eyazi provided a patch for that in #3731.
The plan is to first apply the patch in rel-11_0. Then the commit will be backported to rel-10_0 and rel-10_1.