oss-sec mailing list archives

Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses

From: Sam Bull <9m199i () sambull org>
Date: Fri, 27 Sep 2024 16:48:25 +0100

For WordPress websites that I host, I have code which caches the gravatar images on the
server and serves them directly.

My main goal was to disallow Gravatar tracking users across our websites (enforced with a
Content-Security-Policy in addition to rewriting the image URLs). But, it does also
rewrite the hashes used when served to the client. So, this could be used to avoid leaking
user addresses.

Not sure if that can apply to this software as well, but thought it was worth noting.

Sam

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Enxin Xie (Sep 25)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Solar Designer (Sep 25)
  - RE: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Goldberg, Adam (Sep 25)
    - Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Jeffrey Walton (Sep 25)
  - Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses LinkinStar (Sep 26)
    - Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Solar Designer (Sep 26)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Demi Marie Obenour (Sep 25)
  - Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Alexander Patrakov (Sep 27)
    - Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Fabian Bäumer (Sep 27)
    - Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Sam Bull (Sep 27)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Fabian Bäumer (Sep 26)