Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://gleasonator.com/objects/9015d60c-7bf0-4818-be5c-a2c846af3b5f">Alex Gleason (alex@gleasonator.com)'s status on Friday, 04-Aug-2023 23:39:15 JST</a><a href="https://gleasonator.com/users/alex" title="alex@gleasonator.com"><img src="https://gnusocial.jp/avatar/1712-48-20220726020642.webp" width="48" height="48" alt="Alex Gleason" style="position: absolute; left: 0; top: 0;">Alex Gleason</a><div><ul><li></ul></div></section><article>Pleroma is full of security vulnerabilities because OnlyFans paid people on Upwork to implement a bunch of features nobody wants.<br><br>Have you ever tried downloading an emoji pack from a server? No? Well that's the vulnerable code.<br><br>Anyway, hopefully everyone is using s3 for uploads by now and has the dedupe filter enabled.<br><br>Patch is being merged into Rebased now: <a href="https://gitlab.com/soapbox-pub/rebased/-/merge_requests/263">https://gitlab.com/soapbox-pub/rebased/-/merge_requests/263</a><br><br>A patch was ready yesterday but I figured I'd wait til after it landed upstream first.<br><br>RT: <a href="https://pleroma.soykaf.com/objects/c655af15-7632-41e6-86f3-d06ab5bbb84a">https://pleroma.soykaf.com/objects/c655af15-7632-41e6-86f3-d06ab5bbb84a</a></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1903856#notice-3735145">In conversation</a><time datetime="2023-08-04T23:39:15+09:00" title="Friday, 04-Aug-2023 23:39:15 JST">Friday, 04-Aug-2023 23:39:15 JST</time> <span>from <span><a href="https://gleasonator.com/objects/9015d60c-7bf0-4818-be5c-a2c846af3b5f" rel="external" title="Sent from gleasonator.com via ActivityPub">gleasonator.com</a></span></span><a href="https://gleasonator.com/objects/9015d60c-7bf0-4818-be5c-a2c846af3b5f">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: gitlab.com</div><h5><a href="https://gitlab.com/soapbox-pub/rebased/-/merge_requests/263">Merge Pleroma (security fix) (!263) · Merge requests · Soapbox / Rebased · GitLab</a></h5><div></div></header><div>See: https://pleroma.social/announcements/2023/08/04/pleroma-security-release-2.5.3/</div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/1362762">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Friday, 04-Aug-2023 23:39:15 JSTAlex Gleason
- Oneesan succubus
Pleroma is full of security vulnerabilities because OnlyFans paid people on Upwork to implement a bunch of features nobody wants.

Have you ever tried downloading an emoji pack from a server? No? Well that's the vulnerable code.

Anyway, hopefully everyone is using s3 for uploads by now and has the dedupe filter enabled.

Patch is being merged into Rebased now: https://gitlab.com/soapbox-pub/rebased/-/merge_requests/263

A patch was ready yesterday but I figured I'd wait til after it landed upstream first.

RT: https://pleroma.soykaf.com/objects/c655af15-7632-41e6-86f3-d06ab5bbb84a
In conversationFriday, 04-Aug-2023 23:39:15 JST from gleasonator.compermalink
Attachments
1. Domain not in remote thumbnail source whitelist: gitlab.com
  Merge Pleroma (security fix) (!263) · Merge requests · Soapbox / Rebased · GitLab
  See: https://pleroma.social/announcements/2023/08/04/pleroma-security-release-2.5.3/
2. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice