-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Source: mobyle Version: 1.5.5 Severity: grave Tags: upstream security Justification: user security hole
In file Src/Portal/htdocs/MobylePortal/js/mobyle_ga.js, there is a Google analytics beacon prepared to "phone home": I don't think this should be part of a Debian package by default. - -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlo08/EACgkQBcgs9XrR2kb+LQCdGxgHG4M68aekParzcogEFUST U9gAn2vYBZFC5g1dHOj0+BuwVvjrlTmr =iVQS -----END PGP SIGNATURE-----