Hi Salvatore!

El jue., 24 de sep. de 2020 a la(s) 23:24, Salvatore Bonaccorso (
car...@debian.org) escribió:

> Hi Daniel,
>
> > Hi!
> >
> > El mié., 23 de sep. de 2020 a la(s) 12:54, compositiv GmbH (
> > i...@compositiv.com) escribió:
> >
> > > Package: glances
> > > Version: 3.1.0-1
> > > Severity: important
> > >
> > > Dear Maintainer,
> > >
> > > when changing the service file structure from SysVinit to systemd on
> > > Debian 10 (Buster), a security issue was introduced:
> > > The service unit file is enabled by default without explicitly defining
> > > the bind address as localhost or implementing any other form of access
> > > control.  Thus, the service is exposed to the whole network and any
> > > compatible client can connect and gather an extensive amount of data
> from
> > > the system.
> > >
> > > This behaviour was not given in previous Debian releases, where
> execution
> > > of the listener was disabled through /etc/default/glances by default
> > > (RUN="false").
> > >
> > > The issue is known since Fri, 11 Oct 2019 and has been fixed with
> upstream
> > > release 3.1.3-1 on Fri, 17 Jan 2020 in testing/unstable (see
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942162), but has
> never
> > > been backported to stable ever since, hence the renewed bug report.
> > >
> > > Any of the following would be an acceptable solution:
> > > - disable the service by default (previous behaviour, service is not
> > > required for connection to localhost anyway)
> > > - configure the bind address to 127.0.0.1
> > > - implement another restriction like setting a random password on
> > > installation
> > >
> > > Kind regards,
> > >   David Winterstein
> > >
> > > compositiv GmbH
> > > Hammer Deich 30
> > > 20537 Hamburg
> > > Tel: +49 40 6094349 0
> > > Fax: +49 40 6094349 40
> > > Web: www.compositiv.com
> > > Mail: i...@compositiv.com
> > >
> > > Geschäftsführer Matthias Krawen
> > > Amtsgericht Hamburg - HRB 122540
> > > USt.-IdNr: DE282432834
> > >
> > >
> >
> > The version fixed will be  in stable when bullseye become stable
>
> As an additional note, as we got reached out on this bug report: Such
> an issue can (if possible) as well be fixed in a current stable
> release (not only via DSAs when they do not warrant it, and this one
> is likely such a no-dsa candidate), but as well via the regular point
> releases.
>
> Information for that is in
>
> https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
>
> Hope this helps,
>
> Regards,
> Salvatore
>

You are right, I will work in this.

Thanks.

-- 
Daniel Echeverri
Debian Developer
Linux user: #477840
GPG Fingerprint:
D0D0 85B1 69C3 BFD9 4048 58FA 21FC 2950 4B52 30DB

Reply via email to