Conversation

Notices

1. Embed this notice
   on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 01:56:02 JST on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
   There might be a second attack vector for the exploit, i recommend deactivating rich_media (i.e. website previews)
   in your pleroma config for the time being
   • Embed this notice
     on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 09:52:52 JST on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ

     in reply to

     • 御園はくい
     @hakui if it says rich media anyway, deactivate. I thinks its deactivated by default. Ifcyou don't see previews for links, its not active.
   • Embed this notice
     御園はくい (hakui@tuusin.misono-ya.info)'s status on Saturday, 27-May-2023 09:52:53 JST 御園はくい

     in reply to
     @lain uhhh how do i do that again i haven't touched the config file for so long i forgot where it was
   • Embed this notice
     on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 10:15:41 JST on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ

     in reply to

     • Salastil
     @Salastil update to the new release, that's all
   • Embed this notice
     Salastil (salastil@pleroma.salastil.com)'s status on Saturday, 27-May-2023 10:15:42 JST Salastil

     in reply to
     At the end of all of this can you write up a news article detailing all of the various changes and other mitigation required? Everything is split across a dozen random posts and replies at all hours of the day, having a detailed news article on the feed explaining what happened, how and why such changes are to done would be highly helpful, not just for the immediate timeframe but for new admins months from now.
   • Embed this notice
     御園はくい (hakui@tuusin.misono-ya.info)'s status on Saturday, 27-May-2023 11:04:43 JST 御園はくい

     in reply to
     @lain nope i see previews all right
   • Embed this notice
     on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 11:04:43 JST on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ

     in reply to

     • 御園はくい
     @hakui well then deactivate it
   • Embed this notice
     御園はくい (hakui@tuusin.misono-ya.info)'s status on Saturday, 27-May-2023 11:06:13 JST 御園はくい

     in reply to
     @lain where
     on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ likes this.
   • Embed this notice
     on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 11:08:04 JST on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ

     in reply to

     • 御園はくい
     @hakui docs.pleroma.social
   • Embed this notice
     on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 21:24:10 JST on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ

     in reply to

     • Oneesan succubus
     • Salastil
     • Luca Sironi
     @luca @Salastil @lain good question, there isn't really a perfect place for this yet. Although it doesn't happen very often, so I'm not sure if something is needed.
   • Embed this notice
     Luca Sironi (luca@sironi.tk)'s status on Saturday, 27-May-2023 21:24:13 JST Luca Sironi

     in reply to

     • Oneesan succubus
     • Salastil

     @lain @Salastil

     hello @lain thank you for 2.5.2

     is there an official point of reference that pleroma admin should follow for those kind of sudden issues and immediate action to take? I wasn’t, but i could have been attacked if i didn’t saw your suggestions. Yesterday i simply saw in my timeline one message from Alex Gleason and then i started following you on this profile and on @lain with alerts on.

     Does not seems the right place to follow you if i’m just interested in pleroma security…

   • Embed this notice
     on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 22:47:15 JST on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ

     in reply to

     • 御園はくい
     @hakui do you have your config in the database?
   • Embed this notice
     御園はくい (hakui@tuusin.misono-ya.info)'s status on Saturday, 27-May-2023 22:47:16 JST 御園はくい

     in reply to
     @lain ehh i don't have rich_media in my config but links still have thumbnails?
     image.png
   • Embed this notice
     on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 22:50:23 JST on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ

     in reply to

     • 御園はくい
     @hakui maybe put config in and explicitly disable it
   • Embed this notice
     on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 23:04:14 JST on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ

     in reply to

     • 御園はくい
     @hakui Si
   • Embed this notice
     御園はくい (hakui@tuusin.misono-ya.info)'s status on Saturday, 27-May-2023 23:04:15 JST 御園はくい

     in reply to
     @lain config :pleroma, :rich_media, enabled: false like this?
   • Embed this notice
     御園はくい (hakui@tuusin.misono-ya.info)'s status on Saturday, 27-May-2023 23:06:25 JST 御園はくい

     in reply to

     • 御園はくい
     @lain hmm yep it worked :burd:
     thanks!
     on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ likes this.
   • Embed this notice
     on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 23:07:16 JST on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ

     in reply to

     • 御園はくい
     @hakui if you can you should also do this: https://webb.spiderden.org/2023/05/26/pleroma-mitigation/
   • Embed this notice
     御園はくい (hakui@tuusin.misono-ya.info)'s status on Saturday, 27-May-2023 23:12:28 JST 御園はくい

     in reply to
     @lain i'm the only one on my instance uploading anything so i think i'll take the risk..
     on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ likes this.