CVS commit: pkgsrc/sysutils/py-Glances

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/sysutils/py-Glances
From: "Santhosh Raju" <fox%netbsd.org@localhost>
Date: Mon, 30 Mar 2026 10:33:26 +0000

Module Name:    pkgsrc
Committed By:   fox
Date:           Mon Mar 30 10:33:25 UTC 2026

Modified Files:
        pkgsrc/sysutils/py-Glances: Makefile distinfo

Log Message:
sysutils/py-Glances: Update to 4.5.2

Changes since 4.5.1:

=============
Version 4.5.2
=============

Bug corrected:

  * System display error on "little" terminal #3469

Security patches:

  * Default CORS Configuration Allows Cross-Origin Credential Theft - Correct
    CVE-2026-32610
  * Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash
    and SNMP Credentials - Correct CVE-2026-32609
  * REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding -
    Correct CVE-2026-32632
  * Unauthenticated API Exposure / Add warning message on startup - Correct
    CVE-2026-32596
  * SQL Injection in DuckDB Export via Unparameterized DDL Statements -
    Correct CVE-2026-32611
  * Command Injection via Process Names in Action Command Templates - Correct
    CVE-2026-32608
  * Central Browser Autodiscovery Leaks Reusable Credentials to
    Zeroconf-Spoofed Servers - Correct CVE-2026-32634
  * Browser API Exposes Reusable Downstream Credentials - Correct
    CVE-2026-32633

Breaking changes:

This release addresses 8 security vulnerabilities. Several of the mitigations
change observable behaviour. Users who run Glances in web server or API mode
should read the items below before upgrading.

  * [CVE-2026-32632] Host header validation is now enforced on the built-in
    web server. Requests whose Host header does not match localhost or
    127.0.0.1 will be rejected with HTTP 400 by default. Users accessing
    Glances through a reverse proxy, a custom hostname, or a non-loopback IP
    address must declare the allowed values with the new allowed_hosts key in
    the [outputs] section of glances.conf (comma-separated list). This was
    already required for the MCP server since 4.5.1; it now also applies to
    the main REST/WebUI server.

  * [CVE-2026-32610] The default CORS policy is now restrictive. Previously,
    the server replied with Access-Control-Allow-Origin: * which allowed any
    web page to issue credentialed cross-origin requests against the API. The
    wildcard is removed. Users running third-party web dashboards or custom
    front-ends on a different origin must explicitly list allowed origins with
    the cors_origins key in the [outputs] section of glances.conf.

  * [CVE-2026-32609] Sensitive fields are now redacted on unauthenticated API
    responses. The /api/4/args and /api/4/config endpoints no longer return
    password hashes, SSL key paths, or SNMP community strings to callers that
    have not authenticated. Scripts and integrations that relied on reading
    these values from the API must now authenticate (token or password) to
    receive them.

  * [CVE-2026-32633, CVE-2026-32634] The Browser (multi-server mode) no longer
    forwards configured credentials to remote Glances servers, whether
    discovered via Zeroconf or listed in the [serverlist] section. Credentials
    are only sent after the user explicitly logs in to an individual server.
    Automated setups that relied on transparent credential propagation must
    switch to per-server authentication.

  * [CVE-2026-32596] A WARNING is now printed to stdout at startup when the
    REST API is running without authentication (no --password and no API token
    configured). This is an informational message; the unauthenticated mode
    itself is unchanged and remains the default for private-network
    deployments. Startup scripts or monitoring pipelines that treat any
    stderr/stdout output as a failure may need to be updated.

  * [CVE-2026-32611] The DuckDB export module now uses parameterized DDL
    statements. Table names derived from plugin or metric names are sanitized
    before use. Existing DuckDB databases whose table names contained
    characters that were previously interpolated verbatim may need to be
    recreated.

  * [CVE-2026-32608] Process names used in [action] command templates are now
    shell-escaped before substitution. Templates that relied on unescaped
    special characters in process names to construct compound shell
    expressions will no longer behave as before.

Thanks to @psyberck for the UI patch and @DhiyaneshGeek / @restriction for
CVEs reports.


To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 pkgsrc/sysutils/py-Glances/Makefile
cvs rdiff -u -r1.38 -r1.39 pkgsrc/sysutils/py-Glances/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/sysutils/py-Glances/Makefile
diff -u pkgsrc/sysutils/py-Glances/Makefile:1.45 pkgsrc/sysutils/py-Glances/Makefile:1.46
--- pkgsrc/sysutils/py-Glances/Makefile:1.45    Sun Mar  8 11:22:25 2026
+++ pkgsrc/sysutils/py-Glances/Makefile Mon Mar 30 10:33:25 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.45 2026/03/08 11:22:25 fox Exp $
+# $NetBSD: Makefile,v 1.46 2026/03/30 10:33:25 fox Exp $
 
-DISTNAME=      glances-4.5.1
+DISTNAME=      glances-4.5.2
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME:S/g/G/}
 CATEGORIES=    sysutils python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=g/glances/}

Index: pkgsrc/sysutils/py-Glances/distinfo
diff -u pkgsrc/sysutils/py-Glances/distinfo:1.38 pkgsrc/sysutils/py-Glances/distinfo:1.39
--- pkgsrc/sysutils/py-Glances/distinfo:1.38    Sun Mar  8 11:22:25 2026
+++ pkgsrc/sysutils/py-Glances/distinfo Mon Mar 30 10:33:25 2026
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.38 2026/03/08 11:22:25 fox Exp $
+$NetBSD: distinfo,v 1.39 2026/03/30 10:33:25 fox Exp $
 
-BLAKE2s (glances-4.5.1.tar.gz) = 5ed4af41781995027dfc5d967743e6b97929af7ef0b5f29e742943d5d7b0dd43
-SHA512 (glances-4.5.1.tar.gz) = 1000196f8b59f14f4f7d9cf33f2d53e804b7f2d05203efa2570a1ecf184e001230bdeeab74ced71ace666ebf5f7faa7fe3ea83a701640ba9f4c61b1cfc45d007
-Size (glances-4.5.1.tar.gz) = 7399451 bytes
+BLAKE2s (glances-4.5.2.tar.gz) = 6f69ca1dd1bc58f430c7977323a1417c26bd6cd9259ed30b82378932e51a6200
+SHA512 (glances-4.5.2.tar.gz) = e7a5fe63381f30965c13dcb078385cbf0d3bbe8322a4235c2ac195fe760681fb83637dec20737ee649d8ea3087d483dc132b3c58a7c85be3e351f2b9f4a9efbc
+Size (glances-4.5.2.tar.gz) = 7418802 bytes
 SHA1 (patch-glances_plugins_diskio_____init____.py) = 1656f96b41b9fce10a3f0dca9d39012f0b51200c

Prev by Date: CVS commit: pkgsrc/print
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/print
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index