Package: glances Version: 3.1.0-1 Severity: important Dear Maintainer,
when changing the service file structure from SysVinit to systemd on Debian 10 (Buster), a security issue was introduced: The service unit file is enabled by default without explicitly defining the bind address as localhost or implementing any other form of access control. Thus, the service is exposed to the whole network and any compatible client can connect and gather an extensive amount of data from the system. This behaviour was not given in previous Debian releases, where execution of the listener was disabled through /etc/default/glances by default (RUN="false"). The issue is known since Fri, 11 Oct 2019 and has been fixed with upstream release 3.1.3-1 on Fri, 17 Jan 2020 in testing/unstable (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942162), but has never been backported to stable ever since, hence the renewed bug report. Any of the following would be an acceptable solution: - disable the service by default (previous behaviour, service is not required for connection to localhost anyway) - configure the bind address to 127.0.0.1 - implement another restriction like setting a random password on installation Kind regards, David Winterstein compositiv GmbH Hammer Deich 30 20537 Hamburg Tel: +49 40 6094349 0 Fax: +49 40 6094349 40 Web: www.compositiv.com Mail: i...@compositiv.com Geschäftsführer Matthias Krawen Amtsgericht Hamburg - HRB 122540 USt.-IdNr: DE282432834 -- System Information: Debian Release: 10.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-10-amd64 (SMP w/48 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages glances depends on: ii adduser 3.118 ii lsb-base 10.2019051400 ii node-normalize.css 8.0.1-3 ii python3 3.7.3-1 ii python3-pkg-resources 40.8.0-1 ii python3-psutil 5.5.1-1 Versions of packages glances recommends: ii hddtemp 0.3-beta15-53 ii lm-sensors 1:3.5.0-3 ii python3-bottle 0.12.15-2 ii python3-docker 3.4.1-4 ii python3-influxdb 5.2.0-1 ii python3-matplotlib 3.0.2-2 ii python3-netifaces 0.10.4-1+b1 ii python3-pysnmp4 4.4.6+repack1-1 ii python3-pystache 0.5.4-6 Versions of packages glances suggests: pn glances-doc <none> -- no debconf information
