Skip to content

0.7.15
Compare
Choose a tag to compare
@dmulder dmulder released this 23 Jan 15:35
· 135 commits to main since this release
0.7.15
7a70a0b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Impact

A vulnerability was identified in Himmelblau versions 0.7.0 through 0.8.2:

  1. Logon Compliance Script Issue: When debug logging is enabled, user access tokens are inadvertently logged, potentially exposing sensitive authentication data.

The issue poses a risk of exposing sensitive credentials, particularly in environments where debug logging is enabled.

Patches

The vulnerability has been addressed in Himmelblau version 0.7.15. All users are strongly encouraged to update to this version.

Workarounds

Users unable to update immediately can apply the following mitigations:

  1. For the logon compliance script issue, disable the logon_script option in /etc/himmelblau/himmelblau.conf: 
    logon_script =
    Ensure the debug option in the same configuration file is set to false: 
    debug = false
    Additionally, avoid using the -d flag when starting the himmelblaud daemon.

References

Assets 2
Loading