Hi Daniel, > Hi! > > El mié., 23 de sep. de 2020 a la(s) 12:54, compositiv GmbH ( > i...@compositiv.com) escribió: > > > Package: glances > > Version: 3.1.0-1 > > Severity: important > > > > Dear Maintainer, > > > > when changing the service file structure from SysVinit to systemd on > > Debian 10 (Buster), a security issue was introduced: > > The service unit file is enabled by default without explicitly defining > > the bind address as localhost or implementing any other form of access > > control. Thus, the service is exposed to the whole network and any > > compatible client can connect and gather an extensive amount of data from > > the system. > > > > This behaviour was not given in previous Debian releases, where execution > > of the listener was disabled through /etc/default/glances by default > > (RUN="false"). > > > > The issue is known since Fri, 11 Oct 2019 and has been fixed with upstream > > release 3.1.3-1 on Fri, 17 Jan 2020 in testing/unstable (see > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942162), but has never > > been backported to stable ever since, hence the renewed bug report. > > > > Any of the following would be an acceptable solution: > > - disable the service by default (previous behaviour, service is not > > required for connection to localhost anyway) > > - configure the bind address to 127.0.0.1 > > - implement another restriction like setting a random password on > > installation > > > > Kind regards, > > David Winterstein > > > > compositiv GmbH > > Hammer Deich 30 > > 20537 Hamburg > > Tel: +49 40 6094349 0 > > Fax: +49 40 6094349 40 > > Web: www.compositiv.com > > Mail: i...@compositiv.com > > > > Geschäftsführer Matthias Krawen > > Amtsgericht Hamburg - HRB 122540 > > USt.-IdNr: DE282432834 > > > > > > The version fixed will be in stable when bullseye become stable
As an additional note, as we got reached out on this bug report: Such an issue can (if possible) as well be fixed in a current stable release (not only via DSAs when they do not warrant it, and this one is likely such a no-dsa candidate), but as well via the regular point releases. Information for that is in https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions Hope this helps, Regards, Salvatore
