On 8/25/20 2:25 AM, Petter Reinholdtsen wrote: > [James Valleroy] >> An issue has been found in FreedomBox that allows anonymous and >> unauthorized users to access private and potentially security relevant >> information. The information is shown on an Apache Server Status page >> and includes the IP address and URL request path for clients accessing >> pages on the server. > > Ouch, that was nasty. Anyone could via pagekite look at some of the > valid URLs visited on my Freedombox. Luckily all of them require > authentication, and the only IP address exposed is on the private > (192.168/16) net inside my house. > > Is there a CVE assigned to this issue? Yes, it is now assigned CVE-2020-25073. https://security-tracker.debian.org/tracker/CVE-2020-25073 -- James
Attachment:
signature.asc
Description: OpenPGP digital signature