Source: swupdate Version: 2022.05-2 Severity: normal Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
It seems from reading source code, that swupdate hardcodes the use of Google DNS resolver 8.8.8.8, which is used as fallback when system is badly configured to not set a resolver. This is problematic, because it is a scenario rarely tested, and a situation where arguably you would expect a failure instead of silently leaking privacy information to Google. Specifically, swupdate embeds mongoose which by default defines MG_DEFAULT_NAMESERVER=8.8.8.8, and this has not been overridden in the project code. I guess this can be addressed by extending the file debian/configs/defconfig to also set DEFINE_MG_DEFAULT_NAMESERVER=0.0.0.0 Setting severity of this bugreport only to "normal" due to the rare circumstance it can occur and the lack of actual testing of the claim. Thanks to Bastian Germann for nudging me to file this bugreport, and apologies for only leaving a too vague note for several years at https://wiki.debian.org/PrivacyIssues - Jonas -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmNnsa8ACgkQLHwxRsGg ASHh6hAAndNu4T1rR85G58zIKGYldRrcwMcNxcSDeaggX5iffhN933xNaWd2FDuK qON66EtvxzoaIe8G+6d66Yw9ehqNO4eGtoQU7qFgvZ8PhAPeoERMXA49ZWsdfBbB w1OmiL2D/bOq/Fq11a8Dvs6gHM67drT+wdenUlcxD+fkRyYxqpo1QYt5j2VSmevo glf3SkH2HB6SKxrtbpER3KcdiPXilyYkMbnTpdz6OHpWeloDS/Y4oY2JICNWRCDG LCLE1ShRWFlNmXz8kTuStbjTK4c0tkfZFd+M6nVCNqYFgVC7svHCgEOmPnpDL9YK kgB4dvLalcOQNS9ju40uMMNzwqGuWy79ZmiKeSgFxuHXFMv4071WeuUKrfRAEvdr R2icrg0KaERH6DpYMkfAdIAKCTrtXF6kNBd/JQXitrRI/AoPbxGNeghKG0I6VN4l gJFSstp0P2DsyTnCGk+Vf1F1LoUcQlmuqgokHAandcRbhvqH/dJQj2aDUhG4hWIj 5LusdtWC9fn9UhYYTNrGjqeEBCsQ7L+TRMIPbwagM2EaBXVlRdhzAv1qYkxuLSwL Drkkoa2cwyIq1XYv3ra8I6+AU3gD6zPpsLVdIn0PadXqFuhcOlhxMRhCz+yuKtyG WTV+ukRwzRHLF/Zb+KZjrNbKUxgVgojSxXEvimjNWxjUsZAg42E= =YxRy -----END PGP SIGNATURE-----

