Security leak: Public disclosure of user data without their consent by installing software via pkg
shawn.webb at hardenedbsd.org
Tue Apr 6 14:27:37 UTC 2021
On Tue, Apr 06, 2021 at 03:11:31AM +0200, Stefan Blachmann wrote:
> I had a very distressing experience today.
> I installed a package to view its scripts (and *not* to run them!).
> I was shocked when pkg told me that my system configuration, including
> which packages and their versions are installed on my system, has been
> sent to an external entity, without asking for my content.
> This is a security leak as well as a breach of EU data protection
> rules, but above all, it is a breach of trust of the unsuspecting
> FreeBSD users.
> Read this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152
> And read my experience in this and the following forum posts:
> If this does not get fixed in short time, I will contact ArsTechnica,
> TheRegister and some other reputed IT news outlets, to create public
> pressure to get the issue resolved.
> So please get this fixed and report back.
1. BSDStats isn't run/maintained by the FreeBSD project. File the
report with the BSDStats project, not FreeBSD.
2. You install a package that is made to submit statistical data.
3. You're upset that it submits statistical data?
Cofounder / Security Engineer
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the freebsd-security