Re: Glances: Unprotected XMLRPC server enabled by default

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: Glances: Unprotected XMLRPC server enabled by default
From: Jim Mi <jesekerns@gmail.com>
Date: Fri, 11 Oct 2019 15:44:52 +0800
Message-id: <[🔎] CAPYpJ873KKiaBg1nFSu8OZg5kTQTg8Eog1eG4KN8J5MUOF_fvw@mail.gmail.com>
In-reply-to: <[🔎] 20191010150945.GA12873@eldamar.local>
References: <[🔎] f40e153d-f467-fbdc-37a9-2fef4644a297@gmail.com> <[🔎] 20191010150945.GA12873@eldamar.local>

Done.

On Thu, Oct 10, 2019, 23:09 Salvatore Bonaccorso <carnil@debian.org> wrote:

Hi Jim,

On Thu, Oct 10, 2019 at 04:31:01PM +0800, Jim Mee wrote:
> Hi all,
>
> I recently found glances <https://packages.debian.org/buster/glances>
> package has added an XMLRPC API server that provides access for remote
> users. Unfortunately it requires no authentication, and worse, it binds to
> 0.0.0.0, meaning glances API is exposed to the whole network.
>
> I suggest that the packager adds a random password on install, and remind
> the user to change it afterwards.

Can you fill this as regular bug against the package (ideally with
reportbug otherwise for alterntive
https://www.debian.org/Bugs/Reporting)?

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: Glances: Unprotected XMLRPC server enabled by default
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- Glances: Unprotected XMLRPC server enabled by default
  - From: Jim Mee <jesekerns@gmail.com>
- Re: Glances: Unprotected XMLRPC server enabled by default
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: External check
Next by Date: Re: Glances: Unprotected XMLRPC server enabled by default
Previous by thread: Re: Glances: Unprotected XMLRPC server enabled by default
Next by thread: Re: Glances: Unprotected XMLRPC server enabled by default
Index(es):
- Date
- Thread