From gnoutchd at softwarefreedom.org Thu Aug 6 16:09:30 2020 From: gnoutchd at softwarefreedom.org (Daniel Gnoutcheff) Date: Thu, 6 Aug 2020 11:09:30 -0400 Subject: [Freedombox-discuss] CALL: Saturday, August 8 at 14:00 UTC Message-ID: <6a3643ab-98af-88b7-e0d3-6b4c13be595c@softwarefreedom.org> The FreedomBox community's upcoming progress call is this Saturday, August 8 at 14:00 UTC. To access our calls, please use a Mumble voice over IP (VoIP) client application (available for free for desktop and mobile). On your Mumble client, please connect to server port 64738. Learn more about how to connect here: https://wiki.debian.org/FreedomBox/ProgressCalls You can find all future call reminders in the "Announcements" category of our forum. Comments and agenda items can also be posted in the forum thread for each call: https://discuss.freedombox.org/c/announcements Later, -- Daniel Gnoutcheff Systems Administrator Software Freedom Law Center -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From pere at hungry.com Thu Aug 6 21:03:16 2020 From: pere at hungry.com (Petter Reinholdtsen) Date: Thu, 06 Aug 2020 22:03:16 +0200 Subject: [Freedombox-discuss] How to set up email server on Debian and Ubuntu... Message-ID: For inspiration, check out . Perhaps something for us? -- Happy hacking Petter Reinholdtsen From gnoutchd at softwarefreedom.org Wed Aug 19 16:09:06 2020 From: gnoutchd at softwarefreedom.org (Daniel Gnoutcheff) Date: Wed, 19 Aug 2020 11:09:06 -0400 Subject: [Freedombox-discuss] CALL: Sunday, August 23 at 17:00 UTC Message-ID: <1fc30f9c-3351-7724-651c-10acdf2907ee@softwarefreedom.org> The FreedomBox community's upcoming progress call is this Sunday, August 23 at 17:00 UTC. To access our calls, please use a Mumble voice over IP (VoIP) client application (available for free for desktop and mobile). On your Mumble client, please connect to server port 64738. Learn more about how to connect here: https://wiki.debian.org/FreedomBox/ProgressCalls You can find all future call reminders in the "Announcements" category of our forum. Comments and agenda items can also be posted in the forum thread for each call: https://discuss.freedombox.org/c/announcements Later, -- Daniel Gnoutcheff Systems Administrator Software Freedom Law Center -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From jvalleroy at mailbox.org Tue Aug 25 00:36:23 2020 From: jvalleroy at mailbox.org (James Valleroy) Date: Mon, 24 Aug 2020 19:36:23 -0400 Subject: [Freedombox-discuss] Security/privacy issue for users of Tor onion service or Pagekite Message-ID: <389b33ab-66c7-95b2-2328-3628edac0862@mailbox.org> An issue has been found in FreedomBox that allows anonymous and unauthorized users to access private and potentially security relevant information. The information is shown on an Apache Server Status page and includes the IP address and URL request path for clients accessing pages on the server. By default, Apache only allows access to the Server Status page from the local machine. However, due to how Tor onion service and Pagekite are used on FreedomBox, they bypass this restriction and allow anyone to access the page. We are planning to fix this issue in the next release of FreedomBox. However, our releases have been delayed at the moment. Therefore, if you are using Tor onion service or Pagekite, we strongly recommend that you disable the Server Status page. You can disable the page by running the following two commands on your FreedomBox, either using Cockpit or SSH: ``` $ sudo a2dismod status $ sudo systemctl restart apache2 ``` If you have any questions, feel free to ask at any of the following locations: * Forum: https://discuss.freedombox.org/ * IRC: irc.debian.org, channel #freedombox * Matrix: #freedombox:matrix.org * Mailing list: https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From pere at hungry.com Tue Aug 25 07:25:41 2020 From: pere at hungry.com (Petter Reinholdtsen) Date: Tue, 25 Aug 2020 08:25:41 +0200 Subject: [Freedombox-discuss] Security/privacy issue for users of Tor onion service or Pagekite In-Reply-To: <389b33ab-66c7-95b2-2328-3628edac0862@mailbox.org> References: <389b33ab-66c7-95b2-2328-3628edac0862@mailbox.org> Message-ID: [James Valleroy] > An issue has been found in FreedomBox that allows anonymous and > unauthorized users to access private and potentially security relevant > information. The information is shown on an Apache Server Status page > and includes the IP address and URL request path for clients accessing > pages on the server. Ouch, that was nasty. Anyone could via pagekite look at some of the valid URLs visited on my Freedombox. Luckily all of them require authentication, and the only IP address exposed is on the private (192.168/16) net inside my house. Is there a CVE assigned to this issue? -- Happy hacking Petter Reinholdtsen