Hi Jacob, First, we don't have the 1.4.3 and 1.4.4 versions. You can check out all of our releases on GitHub. [1] Second, this fix does not affect the same-origin policy. It means that same-origin images will be displayed usually, while different-origin images will be restricted according to the administrator's settings.
Best regards, LinkinStar [1] https://github.com/apache/answer/releases On Wed, Apr 2, 2025 at 7:32 AM Jacob Bachmeyer <jcb62...@gmail.com> wrote: > On 3/31/25 21:44, Enxin Xie wrote: > > [...] > > > > Description: > > > > Private Data Structure Returned From A Public Method vulnerability in > Apache Answer. > > > > This issue affects Apache Answer: through 1.4.2. > > > > If a user uses an externally referenced image, when a user accesses this > image, the provider of the image may obtain private information about the > ip address of that accessing user. > > Users are recommended to upgrade to version 1.4.5, which fixes the > issue. In the new version, administrators can set whether external content > can be displayed. > > This hits two major pet peeves of mine: > > First, only versions through 1.4.2 are vulnerable, but the issue was > fixed in 1.4.5? What about 1.4.3 and 1.4.4? > > Second, the short description is *not* an accurate summary of the > issue: there is no public method that returns a private data structure > here. The possibility of planting a web bug (this is an ancient issue > and the reason better email clients block references to remote media by > default) is *different* from Apache Answer *itself* exposing a public > method that leaks private data. > > This issue is more akin to XSS, except that web bugs are older than > JavaScript. The "leaked" IP address originates from the *user's* > machine making a connection to retrieve an untrusted resource. Perhaps > "same origin" should have been imposed on images, but it is not. > > > -- Jacob > > >
