Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://lain.com/objects/02a7a6ad-2514-4055-a1d4-a774bc3f5ea4">on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 03:26:58 JST</a><a href="https://lain.com/users/lain" title="lain@lain.com"><img src="https://gnusocial.jp/avatar/1291-48-20220725101607.webp" width="48" height="48" alt="on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ" style="position: absolute; left: 0; top: 0;">on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ</a></section><article>Alright, we found a second exploit that is much worse than the first one I found, it involves a bug in our oembed parser. A new release is being prepared right now. Unless there's a third exploit, this can be mitigated by disabling rich media in the pleroma settings. Frontends other than pleroma-fe might also be not vulnerable.<br><br>What alex is recommending here will also fix the issue, so you can do that as well:<br><br><a href="https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO">https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO</a></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1591291#notice-3137597">In conversation</a><time datetime="2023-05-27T03:26:58+09:00" title="Saturday, 27-May-2023 03:26:58 JST">Saturday, 27-May-2023 03:26:58 JST</time> <span>from <span><a href="https://lain.com/objects/02a7a6ad-2514-4055-a1d4-a774bc3f5ea4" rel="external" title="Sent from lain.com via ActivityPub">lain.com</a></span></span><a href="https://lain.com/objects/02a7a6ad-2514-4055-a1d4-a774bc3f5ea4">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: media.gleasonator.com</div><h5><a href="https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO">Alex Gleason :soapbox: (@alex@gleasonator.com)</a></h5><div></div></header><div>Pleroma / Akkoma / Rebased need to be patched, but here’s how you can secure your site without any code changes:yoursite.com/media -&gt; media.yoursite.com yoursite.com/proxy -&gt; proxy.yoursite.comTo d...</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 03:26:58 JST on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
Alright, we found a second exploit that is much worse than the first one I found, it involves a bug in our oembed parser. A new release is being prepared right now. Unless there's a third exploit, this can be mitigated by disabling rich media in the pleroma settings. Frontends other than pleroma-fe might also be not vulnerable.

What alex is recommending here will also fix the issue, so you can do that as well:

https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO
In conversationSaturday, 27-May-2023 03:26:58 JST from lain.compermalink
Attachments
1. Domain not in remote thumbnail source whitelist: media.gleasonator.com
  Alex Gleason :soapbox: (@alex@gleasonator.com)
  Pleroma / Akkoma / Rebased need to be patched, but here’s how you can secure your site without any code changes:yoursite.com/media -> media.yoursite.com yoursite.com/proxy -> proxy.yoursite.comTo d...

Public

Embed Notice

HTML Code

Corresponding Notice