An issue has been found in FreedomBox that allows anonymous and unauthorized users to access private and potentially security relevant information. The information is shown on an Apache Server Status page and includes the IP address and URL request path for clients accessing pages on the server. By default, Apache only allows access to the Server Status page from the local machine. However, due to how Tor onion service and Pagekite are used on FreedomBox, they bypass this restriction and allow anyone to access the page. We are planning to fix this issue in the next release of FreedomBox. However, our releases have been delayed at the moment. Therefore, if you are using Tor onion service or Pagekite, we strongly recommend that you disable the Server Status page. You can disable the page by running the following two commands on your FreedomBox, either using Cockpit or SSH: ``` $ sudo a2dismod status $ sudo systemctl restart apache2 ``` If you have any questions, feel free to ask at any of the following locations: * Forum: https://discuss.freedombox.org/ * IRC: irc.debian.org, channel #freedombox * Matrix: #freedombox:matrix.org * Mailing list: https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
Attachment:
signature.asc
Description: OpenPGP digital signature