Received: by 2002:ab2:784b:0:b0:1fd:adc2:8405 with SMTP id m11csp468487lqp; Mon, 10 Jun 2024 09:20:14 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUYdluLTWiQdVKLef3PyWlY3HSfBR7iPPVQC1Us/+SPoo4XSsD060ClJ0kSHh5yZg6mKbUFv/jbB8MrJoFrEhSFipQ1skUDWGY2tco1bA== X-Google-Smtp-Source: AGHT+IEtkdJrwvh+xdRmpyPErkyWX6ox1+QNCfxguU5EtshM2frdJUufTRv6pf37OBIbsVui7fFK X-Received: by 2002:a50:a45c:0:b0:57c:80f7:6f5 with SMTP id 4fb4d7f45d1cf-57c80f70713mr1964432a12.36.1718036414747; Mon, 10 Jun 2024 09:20:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1718036414; cv=none; d=google.com; s=arc-20160816; b=Smrk/HdnKX8pnb+24QmgnKyd/IFrnPcnnx49pdQJy4k/PvQYF+Ez0KdjoEWhocheU/ hKl+zeXCwj7ptZbvXUyJWi4V5tfz5pVONBi4Kc3JAe7y+gi3+X7PpNxpCBgOUBaBtUwB Km2cA3Sw5/JaYZ+JT1kd3e9KtfeGx1Yj9u5UtHg7cXWDcJz3bpsydyLqID6W/gieTSVv ctQmF72IpphyxTTB5XkeibgatsGKAm2RAEq+2rMSVR5ygrkElsYLCSWBBpCKD2bGhJm9 MNDkCxuLaC8tx/9bzqMoL4G2ZWhgTnrGyC/4pwK5KWGW3yHIIWnNjFYcCRnjVW+IRlO0 kr/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:date:content-transfer-encoding:message-id:to :from:delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=lYRAiulxefT23qWLacO5pj+n4AHES6UBDIFihj3Ia8Q=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=QRD7M/NkL4zbdLwSgWHc4F5In3OjCwl+61yZmvUMC/ynzpek4MQgEHGq9p6xqNFKVi LAnhpH7u9iNC9mc3m1r1Ppkm/npkTrEF0kHQPbPfDSoCBVm4u/6lLsqnYJjXkn/WlGQj HLzcHyYj7vd5vZKyvmNx9K46cUMriOpDU8eURrN1H/Gl8pJg9/kMMQ2PIQY1k+6RabD8 21sqEFR9VzpWWlf0WqhHlvlDFyZ9gYf4hcHZqkIm7y0dC8C1eLbFA/ZMZvVyBew6jT7i zVy/mjyjWWOlN8D5sLmyZl+qURJdY5akD7mG+k38XTrfAO3kPStaBHc1l7jxhVfcw3J9 nqKA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30187-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30187-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id 4fb4d7f45d1cf-57c6d957a05si2542004a12.446.2024.06.10.09.20.14 for ; Mon, 10 Jun 2024 09:20:14 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30187-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30187-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30187-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 24545 invoked by uid 550); 10 Jun 2024 16:19:56 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 5737 invoked from network); 10 Jun 2024 16:13:50 -0000 Authentication-Results: apache.org; auth=none Content-Type: text/plain; charset=utf-8 From: David Philip Brondsema To: oss-security@lists.openwall.com Message-ID: <1f25ea72-be53-48d8-6e00-3ace55a2638a@apache.org> Content-Transfer-Encoding: quoted-printable Date: Mon, 10 Jun 2024 16:12:31 +0000 MIME-Version: 1.0 Subject: [oss-security] CVE-2024-36471: Apache Allura: sensitive information exposure via DNS rebinding Severity: important Affected versions: - Apache Allura 1.0.1 through 1.16.0 Description: Import functionality is vulnerable to DNS rebinding attacks between = verification and processing of the URL.=C2=A0 Project administrators can = run these imports, which could cause Allura to read from internal services = and expose them. This issue affects Apache Allura from 1.0.1 through 1.16.0. Users are recommended to upgrade to version 1.17.0, which fixes the issue. = If you are unable to upgrade, set "disable_entry_points.allura.importers = =3D forge-tracker, forge-discussion" in your .ini config file. Credit: truff https://x.com/truffzor (finder) References: https://allura.apache.org/ https://www.cve.org/CVERecord?id=3DCVE-2024-36471