[Security]

[Danielit2012]

Describe the bug Not sure if true or bait but maybe worthwhile review this (bash top: multiple vulnerabilities)

To Reproduce

[Steps to reproduce the behavior:]

found this search result on goo*** search https://www.google.com/search?q=bashtop+security&sxsrf=ALiCzsZhoxhDliwK7tOP0xSBEW7-hrHcHQ%3A1672478305329&ei=Yf6vY7bQE9-N9u8PhJS-uAw&oq=bashtop+secur&gs_lcp=Cgxnd3Mtd2l6LXNlcnAQARgBMgUIIRCgATIFCCEQoAEyBQghEKABMgUIIRCgAToKCAAQRxDWBBCwAzoFCAAQogRKBAhBGABKBAhGGABQ7zxYwIIBYKmYAWgDcAF4AIABdIgB9wOSAQMzLjKYAQCgAQHIAQjAAQE&sclient=gws-wiz-serp

"bashtop security" bottom results link https://www.globalsecuritymag.com/Vigil-nce-bashtop-multiple,20200917,102837.html

• Bashtop version: ?
• Linux distribution and version: Fedora Consequences: privileged access/rights, data reading.

Provenance: user shell. Strange link forwarding: https://vigilance.fr/vulnerability/bashtop-multiple-vulnerabilities-32864 Better dig into it Hope this has been useful .

[aristocratos]

@Danielit2012 Not really sure what to review here? A +2 year old claim of a vulnerability, with information hidden behind a paywall.

The was a security issue fixed in bashtop v0.9.20 in regards to how the psutil python module was imported. And the reference to the fedora builds site seems to be about upgrading to bashtop 0.9.24, so I'm guessing the maintainer missed or skipped the v0.9.21 and v0.9.22 versions and pushed the 0.9.24 version as urgent because of a possible security issue in 0.9.20.

But it has also been upgraded to current version 0.9.25 in the fedora repositories since then, so not sure why this would be a security issue now 2 years later?

[Danielit2012]

@aristocratos Thank you for the reply. Indeed considered also the option that might have been an old or outdated issue since Linux gets lots of updates , but always better check. Now I can trust bashtop enough to use it as a standalone sys monitor. I Can say it earned a new user. Will check it for any future issues but, your reply and the reviews of the application gave me the impression of a secure software for system monitoring, without having to worry about too many (or strange) open ports. To name couple of them like Zabix , Nagios or Checkmk don't impress me, as most of them use remote listening services and open listening ports. Honestly I prefer a simple app (lyke bashtop) that gives the same basic things that all above offer, without having all the useless blinks and things that others have and compromise the system security. After all it might also be a troll or concurrence that tries to do bad publicity to free software as the sea is full of sharks ;) I admit I'm not a prow user of Linux, as I switched from Win OS about a year ago, but I know a couple of things about servers, programming and networking in order to make the difference regarding privacy and security.