Conversation

Notices

1. Embed this notice
   Oneesan succubus (lain@pleroma.soykaf.com)'s status on Friday, 04-Aug-2023 20:22:30 JST Oneesan succubus

   • Haelwenn /элвэн/ :triskell:
   • feld
   A new Pleroma security release is out that you should install immediately. If you can not do so for some reason, activate filename anonymization.
   
   Thanks to @feld and @lanodan for handling this so quickly!
   
   https://pleroma.social/announcements/2023/08/04/pleroma-security-release-2.5.3/
   • Haelwenn /элвэн/ :triskell: likes this.
   • Sexy Moon repeated this.
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 04-Aug-2023 20:29:28 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • feld
     • Luca Sironi
     @luca @feld @lain There is always OTP builds with releases.
   • Embed this notice
     Luca Sironi (luca@sironi.tk)'s status on Friday, 04-Aug-2023 20:29:32 JST Luca Sironi

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • feld

     @lain @feld @lanodan

     is an OTP release foreseen ?

   • Embed this notice
     Sexy Moon (moon@shitposter.club)'s status on Friday, 04-Aug-2023 20:34:36 JST Sexy Moon

     in reply to

     • :blobcatflower:
     • snacks
     @methyltheobromine @snacks Akkoma release soon, it's already on their dev branch.
   • Embed this notice
     :blobcatflower: (methyltheobromine@netzsphaere.xyz)'s status on Friday, 04-Aug-2023 20:34:40 JST :blobcatflower:

     in reply to

     • snacks
     @snacks is this included in akkoma? or do we have filename anonymization activated?
   • Embed this notice
     snacks (snacks@netzsphaere.xyz)'s status on Friday, 04-Aug-2023 20:34:43 JST snacks

     in reply to

     • :blobcatflower:
     @methyltheobromine ???
   • Embed this notice
     :blobcatflower: (methyltheobromine@netzsphaere.xyz)'s status on Friday, 04-Aug-2023 20:34:44 JST :blobcatflower:

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • feld
     • snacks
     @lain @feld @lanodan @snacks
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Friday, 04-Aug-2023 20:45:27 JST feld

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • 
     People begged for a way to share packs and we provided
   • Embed this notice
      (mint@ryona.agency)'s status on Friday, 04-Aug-2023 20:45:29 JST 

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • feld
     @lain @feld @lanodan Why the fuck is emoji pack even a thing? Were just putting them in emoji dir not enough?
   • Embed this notice
     narcolepsy and alcoholism :flag: (hj@shigusegubu.club)'s status on Friday, 04-Aug-2023 20:48:54 JST narcolepsy and alcoholism :flag:

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • 
     • feld
     @feld @lain @lanodan @mint did they though? I just wanted to put a simple zip file that i could upload to server not this... maven ivy repository... stuff
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 04-Aug-2023 20:50:13 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • 
     • feld
     @feld @lain @mint And it makes sense if you consider managed instances where access to the filesystem should be avoided.
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Friday, 04-Aug-2023 20:50:47 JST feld

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • 
     • narcolepsy and alcoholism :flag:
     I wasn't the target audience either 🙃
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Friday, 04-Aug-2023 20:52:27 JST feld

     in reply to

     • Haelwenn /элвэн/ :triskell:
     Btw if your media is hosted on an S3 bucket instead of regular filesystem you're not affected
     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     narcolepsy and alcoholism :flag: (hj@shigusegubu.club)'s status on Friday, 04-Aug-2023 20:52:43 JST narcolepsy and alcoholism :flag:

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • 
     • feld
     @feld @lain @lanodan @mint part of it was purposefully made to make making of packs from external resources, i.e. finmoji which added the complexity that no other purpose needs because people tend to not give a shit about laws
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 04-Aug-2023 20:53:11 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • 
     • feld
     @mint @feld @lain
     > Just zip them up
     
     That's pretty much what it does.
   • Embed this notice
      (mint@ryona.agency)'s status on Friday, 04-Aug-2023 20:53:12 JST 

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • feld
     @feld @lain @lanodan Just zip them up and upload them somewhere, or maybe make a git repo in case it gets updated frequently.
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 04-Aug-2023 21:02:21 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • 
     • feld
     @mint @feld @lain As put in the OP, <hash>.ext should be safe but best is updating.
   • Embed this notice
      (mint@ryona.agency)'s status on Friday, 04-Aug-2023 21:02:22 JST 

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • 
     • feld
     @feld @lain @lanodan Anyway, if deduplication (which, I assume, is responsible for upload URLS being /media/<hash>.ext?name=<name>.ext instead of /media/<uuid>/<name>.ext) is enabled, is the server still vulnerable?