Conversation
Notices
-
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Saturday, 27-May-2023 03:30:14 JST Oneesan succubus Alright, we found a second exploit that is much worse than the first one I found, it involves a bug in our oembed parser. A new release is being prepared right now. Unless there's a third exploit, this can be mitigated by disabling rich media in the pleroma settings. Frontends other than pleroma-fe might also be not vulnerable.
What alex is recommending here will also fix the issue, so you can do that as well:
https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO-
Embed this notice
eri :vlpn_smol::therian: (eri@moth.zone)'s status on Saturday, 27-May-2023 03:37:40 JST eri :vlpn_smol::therian: @lain so, just to double check, if uploads are hosted on a separate domain, you're safe? In conversation permalink -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Saturday, 27-May-2023 03:37:40 JST Oneesan succubus @eri as far as i know, yes. the other domain should not have access to your oauth tokens. In conversation permalink -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Saturday, 27-May-2023 03:39:23 JST Haelwenn /элвэн/ :triskell: @lain What an unexpectd throwback to when added base_url as a hack to still host my server at home behind an ADSL line but have a caching proxy on my VPS for media files.
In conversation permalink Oneesan succubus likes this. -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Saturday, 27-May-2023 03:39:58 JST Oneesan succubus @eri well, and it can't be script sourced from root, so it fixes both exploits In conversation permalink
-
Embed this notice