Your message dated Thu, 19 Mar 2026 02:37:12 +0000
with message-id <[email protected]>
and subject line Bug#1131197: fixed in glances 4.5.2+dfsg-1
has caused the Debian Bug report #1131197,
regarding glances: CVE-2026-32596 CVE-2026-32608
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131197: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131197
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: glances
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for glances.
CVE-2026-32596[0]:
| Glances is an open-source system cross-platform monitoring tool.
| Prior to 4.5.2, Glances web server runs without authentication by
| default when started with `glances -w`, exposing REST API with
| sensitive system information including process command-lines
| containing credentials (passwords, API keys, tokens) to any network
| client. Version 4.5.2 fixes the issue.
https://github.com/nicolargo/glances/security/advisories/GHSA-wvxv-4j8q-4wjq
https://github.com/nicolargo/glances/commit/208d876118fea5758970f33fd7474908bd403d25
(v4.5.2)
CVE-2026-32608[1]:
| Glances is an open-source system cross-platform monitoring tool. The
| Glances action system allows administrators to configure shell
| commands that execute when monitoring thresholds are exceeded. These
| commands support Mustache template variables (e.g., `{{name}}`,
| `{{key}}`) that are populated with runtime monitoring data. The
| `secure_popen()` function, which executes these commands, implements
| its own pipe, redirect, and chain operator handling by splitting the
| command string before passing each segment to
| `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-
| rendered value (such as a process name, filesystem mount point, or
| container name) contains pipe, redirect, or chain metacharacters,
| the rendered command is split in unintended ways, allowing an
| attacker who controls a process name or container name to inject
| arbitrary commands. Version 4.5.2 fixes the issue.
https://github.com/nicolargo/glances/security/advisories/GHSA-vcv2-q258-wrg7
https://github.com/nicolargo/glances/commit/6f4ec53d967478e69917078e6f73f448001bf107
(v4.5.2)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32596
https://www.cve.org/CVERecord?id=CVE-2026-32596
[1] https://security-tracker.debian.org/tracker/CVE-2026-32608
https://www.cve.org/CVERecord?id=CVE-2026-32608
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: glances
Source-Version: 4.5.2+dfsg-1
Done: Daniel Echeverri <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glances, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Echeverri <[email protected]> (supplier of updated glances package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Mar 2026 19:31:09 -0500
Source: glances
Architecture: source
Version: 4.5.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Daniel Echeverri <[email protected]>
Changed-By: Daniel Echeverri <[email protected]>
Closes: 1131197
Changes:
glances (4.5.2+dfsg-1) unstable; urgency=medium
.
* New upstream version 4.5.2+dfsg (Closes: #1131197)
+ Fixing CVE-2026-32596 CVE-2026-32608 CVE-2026-32609 CVE-2026-32610
CVE-2026-32611 CVE-2026-32632 CVE-2026-32633 CVE-2026-32634
Checksums-Sha1:
1c2800f5bccfa92752df439ea3988be666d877d7 2230 glances_4.5.2+dfsg-1.dsc
98d3b61837537ba93b057b12953be04a7e9d6691 7168067 glances_4.5.2+dfsg.orig.tar.gz
9aa66f88937814db3713b5cd75af3ed7cbbce0dd 13528
glances_4.5.2+dfsg-1.debian.tar.xz
5b6238131e23c5100ffb35ac3849909069cf1120 8575
glances_4.5.2+dfsg-1_amd64.buildinfo
Checksums-Sha256:
00db825ac6cde9911a1a346c506116e97fdd462588a8519c430871453e15f7f7 2230
glances_4.5.2+dfsg-1.dsc
593d1cfb1174a70a182cf7a1a732461b332ec36dbbc64c636d80c937d72ce8cc 7168067
glances_4.5.2+dfsg.orig.tar.gz
d4f7f0512e0c45d0c25628989433c5f0b7cbc0ce3d218ebb75ea3ac5147becfa 13528
glances_4.5.2+dfsg-1.debian.tar.xz
c87b728ab0242ba6b49e9a95997d1a57ef32da27b5b6a65aa3d502067ada35a8 8575
glances_4.5.2+dfsg-1_amd64.buildinfo
Files:
4289f9ea9473d31f4910897f93035c5e 2230 utils optional glances_4.5.2+dfsg-1.dsc
525e696a7781fc652f49bc7cb7617a04 7168067 utils optional
glances_4.5.2+dfsg.orig.tar.gz
862e9e2b0593f863fc1fefc22f75b8d9 13528 utils optional
glances_4.5.2+dfsg-1.debian.tar.xz
b0347c2caa7b1dd72e26a296d5f0edfc 8575 utils optional
glances_4.5.2+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEE0NCFsWnDv9lASFj6IfwpUEtSMNsFAmm7VjMTHGVwc2lsb25A
ZGViaWFuLm9yZwAKCRAh/ClQS1Iw22C1D/9teuK50laP94px4hjRc4Mt4dr/dyJc
stBSgq6seVfCYX+x+H4TkPBwS94tI8X4/+5lZIHqy3crh4BmKO7ssZxJzULwiAUE
C5LWY/O9hDeFa9iY7AmRL0GBdjpfey+HV8xS/cO7ik4JS2CCHWY/d/MZR2ndan1G
Z+++ee5/OH5L/njLoePd9fvB8qR01PD0GBkz6AePMhlpPylO0vei4DjEsMfES2F9
jOnb5+4x7JhaopEJAVZLKMvJtXx9hVTQgbpNO+zC0pP5S305GCpCufzzwSUWQZGw
7Oa2aHio4D/H5AtW3+N7BMcyIESZxNJofE1MxDI2ROwBLF4P/IZBP7umnp6FZm7K
TgJ6tuEQXTHqWtNMwtqzyp1lXgxSori/LJ+HkJUcmomoDbWV07j8ucsxSjd8BGwH
++khobOXhJK256AOCCEINWOJcVI2Wq7642eBw2QKzmAsxndgLkvCePhsPGanmrg6
KqCL7eJjMTPsdd0BpZJs6jKTuzYrGJvbQ3A/YYfD3YL9DpMlodCfMM6NveHqBtng
ogwNeYiox2CZx4KR02JKtpuvIZAgvVeS9p40zof8JVmho7j5zD+Hi6lW3mW82ae9
tNTM/9/4nZKhTgI4m5uNBtjIfKbcclCF/FEu48d3sSsG1z6MSX2nBLaZwiQXezml
N0b6iMcH4Vu6vA==
=vvXp
-----END PGP SIGNATURE-----
pgpXN3Y9Rkyt7.pgp
Description: PGP signature
--- End Message ---
