[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Glances: Unprotected XMLRPC server enabled by default

* Jim Mi:

> Done.

Thanks.  For future reference:

  <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942162>

> On Thu, Oct 10, 2019, 23:09 Salvatore Bonaccorso <carnil@debian.org> wrote:
>
>> Hi Jim,
>>
>> On Thu, Oct 10, 2019 at 04:31:01PM +0800, Jim Mee wrote:
>> > Hi all,
>> >
>> > I recently found glances <https://packages.debian.org/buster/glances>
>> > package has added an XMLRPC API server that provides access for remote
>> > users. Unfortunately it requires no authentication, and worse, it binds
>> to
>> > 0.0.0.0, meaning glances API is exposed to the whole network.
>> >
>> > I suggest that the packager adds a random password on install, and remind
>> > the user to change it afterwards.
>>
>> Can you fill this as regular bug against the package (ideally with
>> reportbug otherwise for alterntive
>> https://www.debian.org/Bugs/Reporting)?
>>
>> Regards,
>> Salvatore
>>
Reply to: