Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://shonk.social/notes/9ptp522pkhne001g">Sharkey - Official Account (sharkey@shonk.social)'s status on Saturday, 17-Feb-2024 23:50:06 JST</a><a href="https://shonk.social/@Sharkey" title="sharkey@shonk.social"><img src="https://gnusocial.jp/avatar/219325-48-20231201200645.webp" width="48" height="48" alt="Sharkey - Official Account" style="position: absolute; left: 0; top: 0;">Sharkey - Official Account</a><div><ul><li></ul></div></section><article><p><i><i>IMPORTANT SECURITY UPDATE, BOOST THIS POST</i></i><br>We have released a hot-fix that patches the recent Misskey vulnerability, that allows users to impersonate remote users<br><a href="https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32">https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32</a><br><br>Please update your instances to the latest stable release with the hotfix 2023.12.1 or if using develop to the lastest develop image or commit<br><br>thanks to <a href="https://transfem.social/@sugar">@sugar@transfem.social</a> for bringing this to our attention before everyone else</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2728761#notice-5412927">In conversation</a><time datetime="2024-02-17T23:50:06+09:00" title="Saturday, 17-Feb-2024 23:50:06 JST">about 9 months ago</time> <span>from <span><a href="https://shonk.social/notes/9ptp522pkhne001g" rel="external" title="Sent from shonk.social via ActivityPub">shonk.social</a></span></span><a href="https://shonk.social/notes/9ptp522pkhne001g">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: opengraph.githubassets.com</div><h5><a href="https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32">Lack of media type verification of Activity Streams objects allows impersonation and takeover of remote accounts</a></h5><div></div></header><div>### SummaryWhen fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, wh...</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Sharkey - Official Account (sharkey@shonk.social)'s status on Saturday, 17-Feb-2024 23:50:06 JSTSharkey - Official Account
- Sugar
IMPORTANT SECURITY UPDATE, BOOST THIS POST
We have released a hot-fix that patches the recent Misskey vulnerability, that allows users to impersonate remote users
https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32

Please update your instances to the latest stable release with the hotfix 2023.12.1 or if using develop to the lastest develop image or commit

thanks to @sugar@transfem.social for bringing this to our attention before everyone else
In conversationabout 9 months ago from shonk.socialpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
  Lack of media type verification of Activity Streams objects allows impersonation and takeover of remote accounts
  ### Summary When fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, wh...

Public

Embed Notice

HTML Code

Corresponding Notice