Package: glances Version: 3.1.0-1 Severity: normal Dear Maintainer,
I recently found glances <https://packages.debian.org/buster/glances> package has added an XMLRPC API server that provides access for remote users. Unfortunately it requires no authentication, and worse, it binds to 0.0.0.0, meaning glances API is exposed to the whole network. I suggest that the packager adds a random password on install, and remind the user to change it afterwards. -- System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages glances depends on: ii adduser 3.118 ii lsb-base 10.2019051400 ii node-normalize.css 8.0.1-3 ii python3 3.7.3-1 ii python3-pkg-resources 40.8.0-1 ii python3-psutil 5.5.1-1 Versions of packages glances recommends: ii hddtemp 0.3-beta15-53 ii lm-sensors 1:3.5.0-3 ii python3-bottle 0.12.15-2 ii python3-docker 3.4.1-4 ii python3-influxdb 5.2.0-1 ii python3-matplotlib 3.0.2-2 ii python3-netifaces 0.10.4-1+b1 ii python3-pysnmp4 4.4.6+repack1-1 ii python3-pystache 0.5.4-6 Versions of packages glances suggests: pn glances-doc <none> -- no debconf information
