Control: severity -1 minor Hi Marc,
On Mon, Jun 22, 2020 at 04:33:42PM +0900, Marc Dequènes (duck) wrote: > Quack, > > On 2020-06-20 03:34, Salvatore Bonaccorso wrote: > > > CVE-2019-13033[0]: > > | In CISOfy Lynis 2.x through 2.7.5, the license key can be obtained by > > | looking at the process list when a data upload is being performed. > > | This license can be used to upload data to a central Lynis server. > > | Although no data can be extracted by knowing the license key, it may > > | be possible to upload the data of additional scans. > > It should be possible to enable the license system on the packaged version > but it makes no sense to do so since you would end-up quitting on all the > extra tests that are not opensourced (only in the enterprise version). The > central server also is not packaged for this reason. That is to say I > believe this bug can completely be ignored. Thanks for this usefull comment indeed! So yes I agree we probably can just ignore the issue, and mark it as resolved once as well fixed sourcwise with a 3.0.0 or later upload, but do not need to handle it explicitly otherwise. I have already marked the CVE now in the security-tracker as unimportant. Thank you! Regards, Salvatore
