Debian Bug report logs - #509880
Automatically downloads and executes code

version graph

Package: azureus; Maintainer for azureus is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>; Source for azureus is src:azureus.

Reported by: Enrico Zini <enrico@debian.org>

Date: Sat, 27 Dec 2008 12:06:07 UTC

Severity: important

Found in version azureus/3.1.1.0-3.1

Done: Adrian Perez <adrianperez.deb@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Shaun Jackman <sjackman@debian.org>:
Bug#509880; Package azureus. (Sat, 27 Dec 2008 12:06:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@debian.org>:
New Bug report received and forwarded. Copy sent to Shaun Jackman <sjackman@debian.org>. (Sat, 27 Dec 2008 12:06:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Automatically downloads and executes code
Date: Sat, 27 Dec 2008 12:49:12 +0100
Package: azureus
Version: 3.1.1.0-3.1
Severity: important

Hello,

I've installed and run azureus, and the first thing that it did was to
download an "Updater" plugin and activating it.

I later found a file called "Azureus4.0.0.4.jar" automatically added to
the download queue, and once it had downloaded, azureus prompted me to
be restarted, and I had to click "Restart later" to avoid it doing it
automatically.

So, uhm, without me doing absolutelly anything besides starting the
problem, it goes on without asking and downloads code from somewhere
unspecified then runs it?

No, I mean, seriously?

I feel like as a user I should at the very least be asked first,
possibly with an explanation of what is being downloaded, where from and
why, and how is the downloade authenticated.

Ideally however, by defaults software updates should come through Debian
only, and automatic update gadgets (such as Firefox also has) should be
explicitly turned on by the user.


Ciao,

Enrico

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages azureus depends on:
ii  libcommons-cli-java           1.1-3      API for working with the command l
ii  liblog4j1.2-java              1.2.15-4   Logging library for java
ii  libswt-gtk-3.4-java           3.4-1      Standard Widget Toolkit for GTK+ J
ii  openjdk-6-jre                 6b11-9     OpenJDK Java runtime, using Hotspo

azureus recommends no packages.

Versions of packages azureus suggests:
pn  vuze                          <none>     (no description available)

-- no debconf information




Reply sent to Adrian Perez <adrianperez.deb@gmail.com>:
You have taken responsibility. (Thu, 13 Aug 2009 14:48:03 GMT) Full text and rfc822 format available.

Notification sent to Enrico Zini <enrico@debian.org>:
Bug acknowledged by developer. (Thu, 13 Aug 2009 14:48:03 GMT) Full text and rfc822 format available.

Message #10 received at 509880-close@bugs.debian.org (full text, mbox):

From: Adrian Perez <adrianperez.deb@gmail.com>
To: 509880-close@bugs.debian.org
Subject: Re: Automatically downloads and executes code
Date: Thu, 13 Aug 2009 10:45:09 -0400
[Message part 1 (text/plain, inline)]
I can't reproduce with current version in unstable (4.2.0.4-1), so I
assume the patch that disables core updates have fixed it. 
Feel free to reopen it, if you can reproduce it again, aka the bug
persists.

-- 
Best regards, 

Adrian Perez <adrianperez.deb@gmail.com>
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 11 Sep 2009 08:14:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:21:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.