Security leak: Public disclosure of user data without their consent by installing software via pkg
Shawn Webb
shawn.webb at hardenedbsd.org
Tue Apr 6 14:42:28 UTC 2021
On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote:
> On 06/04/2021 16:27, Shawn Webb wrote:
>
> > 1. BSDStats isn't run/maintained by the FreeBSD project. File the
> > report with the BSDStats project, not FreeBSD.
> > 2. You install a package that is made to submit statistical data.
> > 3. You're upset that it submits statistical data?
>
> The problem here is that it collects and sends data right at the install
> time. It is really unexpected to run installed package without user consent.
> If you install Apache, MySQL or any other package the command / daemon is no
> run by "pkg install" command.
> This must be avoided.
It's probably easier to submit a patch than it is to write a
lolwut-type email. All you gotta do is rm the post-install script.
Also `pkg install` has the -I option. But whatever, let the lolwut
mentality prevail!
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20210406/851f268b/attachment.sig>
More information about the freebsd-security
mailing list