Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAF=YEMwo2rWVkB1SpOtw6vu8TVxKMYzGhmtp62uVgEY79pw8gA@mail.gmail.com>
Date: Thu, 10 Apr 2025 14:49:11 +0800
From: LinkinStar <linkinstar@...che.org>
To: jcb62281@...il.com
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2025-29868: Apache Answer: Using externally
 referenced images can leak user privacy.

Hi Jacob,

First, we don't have the 1.4.3 and 1.4.4 versions. You can check out all of
our releases on GitHub. [1]
Second, this fix does not affect the same-origin policy. It means that
same-origin images will be displayed usually, while different-origin images
will be restricted according to the administrator's settings.

Best regards,
LinkinStar

[1] https://github.com/apache/answer/releases

On Wed, Apr 2, 2025 at 7:32 AM Jacob Bachmeyer <jcb62281@...il.com> wrote:

> On 3/31/25 21:44, Enxin Xie wrote:
> > [...]
> >
> > Description:
> >
> > Private Data Structure Returned From A Public Method vulnerability in
> Apache Answer.
> >
> > This issue affects Apache Answer: through 1.4.2.
> >
> > If a user uses an externally referenced image, when a user accesses this
> image, the provider of the image may obtain private information about the
> ip address of that accessing user.
> > Users are recommended to upgrade to version 1.4.5, which fixes the
> issue. In the new version, administrators can set whether external content
> can be displayed.
>
> This hits two major pet peeves of mine:
>
> First, only versions through 1.4.2 are vulnerable, but the issue was
> fixed in 1.4.5?  What about 1.4.3 and 1.4.4?
>
> Second, the short description is *not* an accurate summary of the
> issue:  there is no public method that returns a private data structure
> here.  The possibility of planting a web bug (this is an ancient issue
> and the reason better email clients block references to remote media by
> default) is *different* from Apache Answer *itself* exposing a public
> method that leaks private data.
>
> This issue is more akin to XSS, except that web bugs are older than
> JavaScript.  The "leaked" IP address originates from the *user's*
> machine making a connection to retrieve an untrusted resource.  Perhaps
> "same origin" should have been imposed on images, but it is not.
>
>
> -- Jacob
>
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.