Package: lynis Version: 2.6.2-1 Severity: serious Justification: privacy leak
By default, this program appears to make a DNS query to lynis-latest-version.cisofy.com. thus leaking information about the system and the fact that the user is running an audit. This is particularly egregious in the case of a security audit tool, as it reveals to observers that the sysadmin performing the audit may be concerned about the system's security. Note that this information is being revealed both to whoever controls "cisofy.com" and also to any network observers as DNS queries are still typically unencrypted. I believe that Debian has held the long standing philosophy that this kind of privacy leak must not be permitted by default. Debian users generally assume that the package maintainer has taken care of this kind of thing, and that it is safe to assume that there is no information being exfiltrated from the system without the user's explicit permission. Please patch the default configuration so that there is no privacy leak. If this issue affects existing stable releases, I suggest that a stable update is also necessary, or perhaps even a security update.
signature.asc
Description: PGP signature
