Bug#970812: marked as done (glances: systemd service starting unrestricted listener on 0.0.0.0:61209 by default)

[Debian Bug Tracking System]

Your message dated Thu, 19 Nov 2020 18:47:57 +0000
with message-id <e1kfoyl-0004sa...@fasolo.debian.org>
and subject line Bug#970812: fixed in glances 3.1.0-1+deb10u1
has caused the Debian Bug report #970812,
regarding glances: systemd service starting unrestricted listener on 
0.0.0.0:61209 by default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
970812: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970812
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: glances
Version: 3.1.0-1
Severity: important

Dear Maintainer,

when changing the service file structure from SysVinit to systemd on Debian 10 
(Buster), a security issue was introduced:
The service unit file is enabled by default without explicitly defining the 
bind address as localhost or implementing any other form of access control.  
Thus, the service is exposed to the whole network and any compatible client can 
connect and gather an extensive amount of data from the system.

This behaviour was not given in previous Debian releases, where execution of 
the listener was disabled through /etc/default/glances by default (RUN="false").

The issue is known since Fri, 11 Oct 2019 and has been fixed with upstream 
release 3.1.3-1 on Fri, 17 Jan 2020 in testing/unstable (see 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942162), but has never been 
backported to stable ever since, hence the renewed bug report.

Any of the following would be an acceptable solution:
- disable the service by default (previous behaviour, service is not required 
for connection to localhost anyway)
- configure the bind address to 127.0.0.1
- implement another restriction like setting a random password on installation

Kind regards,
  David Winterstein

compositiv GmbH
Hammer Deich 30
20537 Hamburg
Tel: +49 40 6094349 0
Fax: +49 40 6094349 40
Web: www.compositiv.com
Mail: i...@compositiv.com

Geschäftsführer Matthias Krawen
Amtsgericht Hamburg - HRB 122540
USt.-IdNr: DE282432834



-- System Information:
Debian Release: 10.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-10-amd64 (SMP w/48 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages glances depends on:
ii  adduser                3.118
ii  lsb-base               10.2019051400
ii  node-normalize.css     8.0.1-3
ii  python3                3.7.3-1
ii  python3-pkg-resources  40.8.0-1
ii  python3-psutil         5.5.1-1

Versions of packages glances recommends:
ii  hddtemp             0.3-beta15-53
ii  lm-sensors          1:3.5.0-3
ii  python3-bottle      0.12.15-2
ii  python3-docker      3.4.1-4
ii  python3-influxdb    5.2.0-1
ii  python3-matplotlib  3.0.2-2
ii  python3-netifaces   0.10.4-1+b1
ii  python3-pysnmp4     4.4.6+repack1-1
ii  python3-pystache    0.5.4-6

Versions of packages glances suggests:
pn  glances-doc  <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: glances
Source-Version: 3.1.0-1+deb10u1
Done: Daniel Echeverri <epsi...@debian.org>

We believe that the bug you reported is fixed in the latest version of
glances, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 970...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Echeverri <epsi...@debian.org> (supplier of updated glances package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 25 Sep 2020 18:40:26 -0500
Source: glances
Architecture: source
Version: 3.1.0-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Daniel Echeverri <epsi...@debian.org>
Changed-By: Daniel Echeverri <epsi...@debian.org>
Closes: 970812
Changes:
 glances (3.1.0-1+deb10u1) buster; urgency=medium
 .
   * d/control: Update my lastname.
   * Now glances listen on 127.0.0.1. (Closes: #970812)
Checksums-Sha1:
 4317425ceb39f792b35a90f3fc6c93cd79224d84 2129 glances_3.1.0-1+deb10u1.dsc
 d8b880a24d8677a3a2124bef27cee648f14107ed 6688798 glances_3.1.0.orig.tar.gz
 754120b67ada729a7963a8c367e446335fd603b3 10880 
glances_3.1.0-1+deb10u1.debian.tar.xz
 60ed3c2aefb1f6cc76e50fc402e43a614b1becd3 8186 
glances_3.1.0-1+deb10u1_source.buildinfo
Checksums-Sha256:
 4006586ab3e9f903d130748139e9911996ae03189d865f8cce593001a7a02b56 2129 
glances_3.1.0-1+deb10u1.dsc
 56e67aee5960ecb575a7277e87b06d305ec87d2108f65860d13d9111d320bdf5 6688798 
glances_3.1.0.orig.tar.gz
 bdf226f746eea6bafca5e1734b02bf8254f72e36a2b3c04a7f085591d7f29952 10880 
glances_3.1.0-1+deb10u1.debian.tar.xz
 940294a0d08359c18f3ceb3e6f734d7d4bb5d9573608dde8d04dad3ecc55468e 8186 
glances_3.1.0-1+deb10u1_source.buildinfo
Files:
 3b37b2d4e4e6bdc3bf7467527f0730d7 2129 utils optional 
glances_3.1.0-1+deb10u1.dsc
 6b4d001854f711ee805eb60bd6831e18 6688798 utils optional 
glances_3.1.0.orig.tar.gz
 ab7e394805bd60e4ae9c163afb688d7d 10880 utils optional 
glances_3.1.0-1+deb10u1.debian.tar.xz
 eb09f1236eb91bcb2c784910ea1b81e3 8186 utils optional 
glances_3.1.0-1+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEE0NCFsWnDv9lASFj6IfwpUEtSMNsFAl+kf48THGVwc2lsb25A
ZGViaWFuLm9yZwAKCRAh/ClQS1Iw2wpHEACX+UoxyMlKqZf4ytJpAwN6hWEB5A66
CzrAqwu0PKe+dB6DPqCEmh48/wvJIT7asLP5DkCIMrjeLWjzRaiHcJQP6a7Egn33
2sl0BFGSxml2OtR0/7QIxn4r23osRSfePrp+0EpjBpw2ysUqQM4Ngm0nIW6lUkgB
JHOX/IYwRn9rpG29XuP5ubtjB/UZLZruAo2Bou5e6aZvOYN2UKmXQrH7zpfcWkbN
31TkFw46w1KEEM0QvY3rRFwsVKbNXJolg/jaNIuWSTFhi6eDwd6rCrq4H4XwpoOs
xbvZGb9hTU5IBgvSoMc/OhTmQdLBzndPmQfXSZgygYG6CHMU53sW6GVhgf9eC72+
d9OZ91wAfD89vdmYsqiXAOx395lKlrq2ifnbVOiCLdSva7DgdawoZffTvSXs9Obl
oTUWsFugJzwbIpdFjnk99Rqnogl8l3NqHlPr5Ue5Eq2dxINAgakPV6Ft3PMABhIo
ACHM438qqxR1jjGNLLzbd2sE7+/yrgHIdJd167DnvaQlEWCu3HnuEWIdY6qT0LpJ
I3wXdUA1wn38UvbGBM+RoiZKO20wVzPaRec7kfRJafEdDsXt/ObFihWZgbwYlvrH
72Dj6n/PiDNhW30Ui+pjM+A1QO8bgWjDcxdHrB4lK1gFlbSqjmCgqLEC+LwR7pRv
bIlz2fqmSOcopA==
=WmTu
-----END PGP SIGNATURE-----

--- End Message ---