Package: jenkins
Version: 1.565.3-6
Severity: serious
Justification: privacy violation
The start page of a Debian Jenkins installation contains:
|
loadScript("https://usage.jenkins-ci.org/usage-stats.js?rIKhpWpB5l4HTZ/rzJD6gKBXbClwgYoYPWtKlXjDxzfkmq32joLOGhUDBJKufyaNjMblCx2ATGQ9eMUPcRFASSK90+AShIZZDG3sMAa5qL/RR+zsuPsP9DIkz9ewNII6iUq10T6fyVJIPmE9+GuZeolpvr0PwSA1iqJGoKCoNIhq6Zm6i2ez68UknmZg5nAHyjRgNp2V9Kn0nh7R4qPAokmDGpYhcUGwWdNy8yaa1NbYkh5ZaI0Gml6MAADnYfzVTylE5n54s+obrpXvBo4JObfAKn0jck4FBD6PhuGpknC1m5gnEqIg+GTPBLgyyOYQU5gyIxs3/ARPu1bvO1G0ckPJKtaA5RH147DgTw3Xu2cCEgvBoQsRKbnTmaHbaPun28dB4fTQJ7xHXLg6uPpm3t7btEa/WWsARgPcpfUGM/fNyP8Y8cHivOFV+UPgGQr575Dl03/lPQ+SHNqp+swb5E0WlHoElw+MPuOw5OZMfwtfBrz0g4PZFt/eRaWmr6mTo/KKvKIENigR3V4/6cDyuuw8iVAowzFeoVkENawlVO8ZJYgreEPYOFhX1JDNrQrS9zE1ztrtERGi02ThaDONkPoedIFbV8qr27J7bVf8/cwWoEmr3ZVHX6KYbC1JUMefOyQML0c9GC0BsJEt11P5cYmsYjim0btNjSYgKTmITmeB8pgkBCPz27AdpYy4MDSS9ESfLqJPqVTbdc2I5JKdw7OKS9x1Se4sFvaD+h1YSkw2S/PXulhBkc/IsQgdNt8WNf9dqisS4kO1P50oSy94FkA07MnZMkf8MKunNLSossH2YrmpXA1rll/tBEyb+931r7OT8IOgLi4bFvBjxNtpe0nkxCWNPpXHPuCoI0YGp8mqiS8EybO2bG/Gbc/WawglQG8oNc9wXcKznmtBjabn1TX/QK+Pas6q6UjS
6GUuah6rNRuZMK7F9IwfL17DHVmC32uln0wGaO8Q5xQI4/RrVRwLdt3I4jc9fzvrGQNsAej/1uP9Ge+9Jwgj3u2muQVN");
This is clearly a privacy violation, caught by RequestPolicy thankfully.
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.11.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
Versions of packages jenkins depends on:
ii adduser 3.115
ii daemon 0.6.4-1+b2
ii default-jre-headless [java6-runtime-headless] 2:1.8-59
ii jenkins-common 1.565.3-6
ii net-tools 1.60+git20161116.90da8a0-1
ii openjdk-8-jre-headless [java6-runtime-headless] 8u141-b15-3
ii procps 2:3.3.12-3
ii psmisc 23.1-1
jenkins recommends no packages.
jenkins suggests no packages.
-- Configuration Files:
/etc/default/jenkins changed:
NAME=jenkins
JAVA=/usr/bin/java
JAVA_ARGS="-Xmx4096m -Dfile.encoding=UTF-8 -Dhudson.DNSMultiCast.disabled=true
-Dhudson.udp=-1"
PIDFILE=/var/run/jenkins/jenkins.pid
JENKINS_USER=maven
JENKINS_ROOT=/usr/share/jenkins
JENKINS_WAR=/usr/share/jenkins/jenkins.war
JENKINS_HOME=/var/lib/jenkins
JENKINS_RUN=/var/run/jenkins
RUN_STANDALONE=true
JENKINS_LOG=/var/log/jenkins/$NAME.log
MAXOPENFILES=8192
HTTP_PORT=-1
AJP_PORT=8109
HTTP_HOST=127.0.0.1
AJP_HOST=127.0.0.1
JENKINS_ARGS="--webroot=$JENKINS_RUN/war --httpPort=$HTTP_PORT
--ajp13Port=$AJP_PORT"
JENKINS_ARGS="$JENKINS_ARGS --httpListenAddress=$HTTP_HOST
--ajp13ListenAddress=$AJP_HOST"
JENKINS_ARGS="$JENKINS_ARGS --preferredClassLoader=java.net.URLClassLoader"
JENKINS_ARGS="$JENKINS_ARGS --prefix=/jenkins/"
export LC_ALL=C.UTF-8
JAVA_ARGS="$JAVA_ARGS
-Dorg.apache.commons.jelly.tags.fmt.timeZone=Europe/Berlin"
-- no debconf information
