[原文]The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.53.10 packages includes sensitive information in world-readable log files, including preseeded passwords and pppoeconf passwords, which might allow local users to gain privileges.
Debian Linux passwd and base-config contain a flaw that may lead to an unauthorized information disclosure. The issue is caused by sensitive information written to world readable log files during the installation process resulting in a loss of confidentiality.
Upgrade to version 4.0.14-9 or higher, as it has been reported to fix this vulnerability. In addition, Joey Hess from the debian-installer team has released two patches for already installed systems.