Hi Salvatore! El jue., 24 de sep. de 2020 a la(s) 23:24, Salvatore Bonaccorso ( car...@debian.org) escribió:
> Hi Daniel, > > > Hi! > > > > El mié., 23 de sep. de 2020 a la(s) 12:54, compositiv GmbH ( > > i...@compositiv.com) escribió: > > > > > Package: glances > > > Version: 3.1.0-1 > > > Severity: important > > > > > > Dear Maintainer, > > > > > > when changing the service file structure from SysVinit to systemd on > > > Debian 10 (Buster), a security issue was introduced: > > > The service unit file is enabled by default without explicitly defining > > > the bind address as localhost or implementing any other form of access > > > control. Thus, the service is exposed to the whole network and any > > > compatible client can connect and gather an extensive amount of data > from > > > the system. > > > > > > This behaviour was not given in previous Debian releases, where > execution > > > of the listener was disabled through /etc/default/glances by default > > > (RUN="false"). > > > > > > The issue is known since Fri, 11 Oct 2019 and has been fixed with > upstream > > > release 3.1.3-1 on Fri, 17 Jan 2020 in testing/unstable (see > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942162), but has > never > > > been backported to stable ever since, hence the renewed bug report. > > > > > > Any of the following would be an acceptable solution: > > > - disable the service by default (previous behaviour, service is not > > > required for connection to localhost anyway) > > > - configure the bind address to 127.0.0.1 > > > - implement another restriction like setting a random password on > > > installation > > > > > > Kind regards, > > > David Winterstein > > > > > > compositiv GmbH > > > Hammer Deich 30 > > > 20537 Hamburg > > > Tel: +49 40 6094349 0 > > > Fax: +49 40 6094349 40 > > > Web: www.compositiv.com > > > Mail: i...@compositiv.com > > > > > > Geschäftsführer Matthias Krawen > > > Amtsgericht Hamburg - HRB 122540 > > > USt.-IdNr: DE282432834 > > > > > > > > > > The version fixed will be in stable when bullseye become stable > > As an additional note, as we got reached out on this bug report: Such > an issue can (if possible) as well be fixed in a current stable > release (not only via DSAs when they do not warrant it, and this one > is likely such a no-dsa candidate), but as well via the regular point > releases. > > Information for that is in > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions > > Hope this helps, > > Regards, > Salvatore > You are right, I will work in this. Thanks. -- Daniel Echeverri Debian Developer Linux user: #477840 GPG Fingerprint: D0D0 85B1 69C3 BFD9 4048 58FA 21FC 2950 4B52 30DB
