Your message dated Thu, 19 Mar 2020 16:22:22 +0000 with message-id <e1jexw6-000814...@fasolo.debian.org> and subject line Bug#935042: fixed in lynis 2.7.5-1 has caused the Debian Bug report #935042, regarding Program phones home by default to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 935042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935042 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: lynis Version: 2.6.2-1 Severity: serious Justification: privacy leak By default, this program appears to make a DNS query to lynis-latest-version.cisofy.com. thus leaking information about the system and the fact that the user is running an audit. This is particularly egregious in the case of a security audit tool, as it reveals to observers that the sysadmin performing the audit may be concerned about the system's security. Note that this information is being revealed both to whoever controls "cisofy.com" and also to any network observers as DNS queries are still typically unencrypted. I believe that Debian has held the long standing philosophy that this kind of privacy leak must not be permitted by default. Debian users generally assume that the package maintainer has taken care of this kind of thing, and that it is safe to assume that there is no information being exfiltrated from the system without the user's explicit permission. Please patch the default configuration so that there is no privacy leak. If this issue affects existing stable releases, I suggest that a stable update is also necessary, or perhaps even a security update.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: lynis Source-Version: 2.7.5-1 Done: =?utf-8?b?TWFyYyBEZXF1w6huZXMgKER1Y2sp?= <d...@duckcorp.org> We believe that the bug you reported is fixed in the latest version of lynis, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 935...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Marc Dequènes (Duck) <d...@duckcorp.org> (supplier of updated lynis package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 13 Mar 2020 00:09:28 +0900 Source: lynis Architecture: source Version: 2.7.5-1 Distribution: unstable Urgency: medium Maintainer: Marc Dequènes (duck) <d...@duckcorp.org> Changed-By: Marc Dequènes (Duck) <d...@duckcorp.org> Closes: 902614 935042 939325 951466 Changes: lynis (2.7.5-1) unstable; urgency=medium . * Non-maintainer upload. * NMU for salvaging package (Closes: #951466). * NUR: + refreshed patch. * Updated watch file (Closes: #902614). * Switch sources to Salsa and update URLs accordingly. * Switch all URLs to HTTPS. * Switch to debhelper 12. * Switch to DH (Closes: #939325). * Add patch to disable version check by default for privacy reasons (Closes: #935042). * Add patch to fix manpage syntax mistake. * Bump Standards-Version to 4.5.0. Checksums-Sha1: 3fbb6829e84060eab2b4e93030af0221ebc34de5 2115 lynis_2.7.5-1.dsc 63e5480cd32121c194929dec531523ddfb54dbbd 288688 lynis_2.7.5.orig.tar.gz 2d35b632bc10cce2b3c176ccd5bab1777a216e16 819 lynis_2.7.5.orig.tar.gz.asc 024ef52e2a64ecf988f01aec252a2e112e3e98aa 15916 lynis_2.7.5-1.debian.tar.xz 0e3ed03e5b819d928a51cd7fdf9d00359385710f 5445 lynis_2.7.5-1_amd64.buildinfo Checksums-Sha256: 6b0633dabf91967c46b82f52412d2f527772f9d5263cfe541973e4945ee78a2d 2115 lynis_2.7.5-1.dsc 3d27ade73a5c1248925ad9c060024940ce5d2029f40aaa901f43314888fe324d 288688 lynis_2.7.5.orig.tar.gz 29fa248c3f42b60dd167ff3dafddf682c7758b5f33f59ab8d368f97cebf09d95 819 lynis_2.7.5.orig.tar.gz.asc 0ac536d9587d15e2d35dc614aa1c3a935460370e2faa0d38cc1f8dfbdcd3b4cc 15916 lynis_2.7.5-1.debian.tar.xz 255cafb566fc81bf2c1f4bf9adced819b5ee2fb24140e6513a4ca70a12b665f2 5445 lynis_2.7.5-1_amd64.buildinfo Files: 8ead298a08a1fa94bab5856f8ff85086 2115 utils optional lynis_2.7.5-1.dsc fb527b6976e70a6bcd57036c9cddc242 288688 utils optional lynis_2.7.5.orig.tar.gz 9914ed4572cc6b1c5e5f94a9b4c5fc92 819 utils optional lynis_2.7.5.orig.tar.gz.asc 62916573a05f92003f581e635f554516 15916 utils optional lynis_2.7.5-1.debian.tar.xz afea656f508305e65bdb49c72c340efa 5445 utils optional lynis_2.7.5-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAl5qUcQACgkQVen596wc RD8GCw/+JEcUkf9liKUXAm0RYAM/rlA9nv3NDZYfrPbiQag76txNlxn2a6Wf5tZ8 7JZ3mlMAskmYN5BrEgTe61OE7NCQtr+CJs2lvStA1R3rOsXViH5uKwq2w0tXpP5n 9IHxn9vVvyEWXKr74zFMGGSqHMdJKi2U1HqTvUH2yATupqdnVqEdTeLidAScw7GC JKxv9bJIqYEaKBGN6IITt4eG/6EkA695qvtBbWxI59vE6uIZe3gqhBuWsmdSF79s OmtyumSZC+M/aoAbbwjxbjMSP09WONXnp/7awDcQrNBZmD5r9DaedNWiR2HcCeJn OQmo/jjRJ42D3uv9P5wyXB2a8lXRJfFTqsdH67ngBHO1nAgFtx0D0349peNqDYrE sdnxQMpqwsujC0YpdjkXQXX/YlJLDdk6c6bRCFbPBqkjUK3LHWzxmSHxISLR5wOC b6miYIG2KSuCW3EQoFtYtKWWiJferbvI7lJvijoyo2sy5z005CeJBjXRBsIT8lyX xOiA4qlcxs07/CK3bhNMTakPfJeIJTTpAKTMqKR3Q/cHyfaoHhxoou1tdDW0MkN8 knyBuQiOi1T7T12WQNZVO+TLGN4gtrRflMJdPCqREbNaK13Q4F+z+4agzjrmAkaL w43M/IfQiuow+zCoK/sVGEeH5Em1SN+qUeOoFOHVmgJYosRjl1s= =aq33 -----END PGP SIGNATURE-----
--- End Message ---
