Security leak: Public disclosure of user data without their consent by installing software via pkg
Shawn Webb
shawn.webb at hardenedbsd.org
Tue Apr 6 14:27:37 UTC 2021
On Tue, Apr 06, 2021 at 03:11:31AM +0200, Stefan Blachmann wrote:
> Hello,
>
> I had a very distressing experience today.
> I installed a package to view its scripts (and *not* to run them!).
>
> I was shocked when pkg told me that my system configuration, including
> which packages and their versions are installed on my system, has been
> sent to an external entity, without asking for my content.
>
> This is a security leak as well as a breach of EU data protection
> rules, but above all, it is a breach of trust of the unsuspecting
> FreeBSD users.
>
> Read this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152
> And read my experience in this and the following forum posts:
> https://forums.freebsd.org/threads/toplist-freebsd-usage-per-1m-inhabitants.79669/post-504430
>
> If this does not get fixed in short time, I will contact ArsTechnica,
> TheRegister and some other reputed IT news outlets, to create public
> pressure to get the issue resolved.
>
> So please get this fixed and report back.
1. BSDStats isn't run/maintained by the FreeBSD project. File the
report with the BSDStats project, not FreeBSD.
2. You install a package that is made to submit statistical data.
3. You're upset that it submits statistical data?
lolwut,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20210406/f23103b8/attachment.sig>
More information about the freebsd-security
mailing list