Package: gkrellweather Version: 2.0.8-2.1 Severity: important Tags: security
/usr/share/gkrellm/GrabWeather uses $WeatherSrc = 'http://tgftp.nws.noaa.gov/data/observations/metar/decoded'; while the URL is now in https. In particular, the requested URL contains private information: the station ID, giving information on the user's location (the IP address of the user may also give such information, but not necessarily). Moreover, the document contents could be changed by an attacker, and there is little sanitization... -- System Information: Debian Release: 10.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gkrellweather depends on: ii gkrellm 2.3.10-2+b1 ii libc6 2.28-10 ii libglib2.0-0 2.58.3-2 ii libgtk2.0-0 2.24.32-3 ii libwww-perl 6.36-2 ii perl 5.28.1-6 ii wget 1.20.1-1.1 gkrellweather recommends no packages. gkrellweather suggests no packages. -- no debconf information
