Notices by Oneesan succubus (lain@pleroma.soykaf.com), page 2
-
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Monday, 22-Apr-2024 14:59:20 JST Oneesan succubus @viking iggy pop looking good for 99 years -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Monday, 22-Apr-2024 14:52:37 JST Oneesan succubus > The author of DOOM for SNES, Randy Linden, did not have access to any documentation about the GSU chip or even DOOM source code. He reverse engineered all of it[33]. Randy did a superb job since this is the only console port able to use the PC levels (other consoles had to simplify the geometry).
okay wtf -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Monday, 22-Apr-2024 14:39:18 JST Oneesan succubus Weird to think that a cart would have not only an extra processor, but a processor that is clocked at 4 times the speed as the one in the console.
https://fabiensanglard.net/snes_carts/index.html -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Saturday, 06-Apr-2024 08:58:14 JST Oneesan succubus Stinky boys keep moving this is a fresh and clean clean neighborhood In conversation from pleroma.soykaf.com permalink -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Sunday, 31-Mar-2024 14:38:17 JST Oneesan succubus The fine folks at akkoma released a security update that fixes some things with the diverse ways of putting stuff on your domain (uploads, stolen emoji, mediaproxy). Some of those patches will make it into Pleroma too, but for now:
RUN UPLOADS AND MEDIA PROXY ON A DIFFERENT SUBDOMAIN. That prevents any impersonation issues.
We will drop any support for same-domain setups in the near future, it's just not worth the risk.
Check out the information provided by akkoma for details and more fine grained mitigation steps: https://meta.akkoma.dev/t/akkoma-stable-2024-03-securer-i-barely-know-her/681In conversation from pleroma.soykaf.com permalink Attachments
-
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Tuesday, 20-Feb-2024 18:20:44 JST Oneesan succubus @graf ahead of the curve In conversation from pleroma.soykaf.com permalink -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Tuesday, 20-Feb-2024 18:16:19 JST Oneesan succubus Please update immediately or deactivate the emoji stealer:
https://pleroma.social/announcements/2024/02/20/pleroma-security-release-2.6.2/In conversation from pleroma.soykaf.com permalink Attachments
-
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Saturday, 16-Dec-2023 20:12:22 JST Oneesan succubus @dwaltiz @lain donezo In conversation from gnusocial.jp permalink -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Saturday, 05-Aug-2023 21:09:41 JST Oneesan succubus Another Pleroma issue has been found, similar to yesterday's but this one also affects single user instances. Please update your servers once more, akkoma also has the same patch.
https://pleroma.social/announcements/2023/08/05/pleroma-security-release-2.5.4/
Thanks again to everyone involved in reporting and fixing this!In conversation from pleroma.soykaf.com permalink Attachments
-
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Friday, 04-Aug-2023 20:22:30 JST Oneesan succubus A new Pleroma security release is out that you should install immediately. If you can not do so for some reason, activate filename anonymization.
Thanks to @feld and @lanodan for handling this so quickly!
https://pleroma.social/announcements/2023/08/04/pleroma-security-release-2.5.3/In conversation from pleroma.soykaf.com permalink Attachments
-
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Monday, 29-May-2023 18:29:02 JST Oneesan succubus PLEROMA ADMINS READ THIS, AKKOMA TOO
Another important pleroma security post: @alex and @graf found ANOTHER injection bug, and this one was probably used for the attack. I think that single user instances are probably not affected, but I wouldn't want to risk it. Move your media and proxy to a subdomain as alex initially recommended, it's not complicated and takes 15 minutes, and eliminates this whole class of bugs.
Fix is being worked on, but just do the media/proxy thing now so you'll never have to worry about this again.
https://webb.spiderden.org/2023/05/26/pleroma-mitigation/In conversation from pleroma.soykaf.com permalink Attachments
-
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Saturday, 27-May-2023 03:39:58 JST Oneesan succubus @eri well, and it can't be script sourced from root, so it fixes both exploits In conversation from pleroma.soykaf.com permalink -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Saturday, 27-May-2023 03:37:40 JST Oneesan succubus @eri as far as i know, yes. the other domain should not have access to your oauth tokens. In conversation from pleroma.soykaf.com permalink -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Saturday, 27-May-2023 03:30:14 JST Oneesan succubus Alright, we found a second exploit that is much worse than the first one I found, it involves a bug in our oembed parser. A new release is being prepared right now. Unless there's a third exploit, this can be mitigated by disabling rich media in the pleroma settings. Frontends other than pleroma-fe might also be not vulnerable.
What alex is recommending here will also fix the issue, so you can do that as well:
https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uOIn conversation from pleroma.soykaf.com permalink Attachments
-
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Saturday, 27-May-2023 02:24:22 JST Oneesan succubus There might be a second attack vector for the exploit, i recommend deactivating rich_media (i.e. website previews) in your pleroma config for the time being In conversation from pleroma.soykaf.com permalink -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Friday, 26-May-2023 19:22:53 JST Oneesan succubus @luca one of them is enough, a server had their admin oauth tokens stolen using a rather elaborate attack. In conversation from pleroma.soykaf.com permalink -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Friday, 26-May-2023 18:37:31 JST Oneesan succubus Just to be clear, if you run a pleroma server, it’s a very good idea to add this to your nginx config immediately:
location ~ ^/(media|proxy) { add_header Content-Security-Policy "sandbox;";Most people will already not be vulnerable to this for a variety of reasons, but this will absolutely stop it.
In conversation from pleroma.soykaf.com permalink -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Friday, 26-May-2023 17:45:36 JST Oneesan succubus I found out how the attack works, it indeed depends on mediaproxy, so if you don't use it you are safe.
You are also safe if you add this code to your nginx.
location ~ ^/(media|proxy) {
add_header Content-Security-Policy "script-src 'none';";
Updates and fixes incoming, but this will fix the issue right away. There is a certain aspect of social engineering here, it will not just attack you by seeing an image inside pleroma-fe.In conversation from pleroma.soykaf.com permalink -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Friday, 28-Apr-2023 19:08:35 JST Oneesan succubus @EU_Commission is this a parody account? In conversation from pleroma.soykaf.com permalink -
Embed this notice
Oneesan succubus (lain@pleroma.soykaf.com)'s status on Wednesday, 26-Apr-2023 03:13:38 JST Oneesan succubus @shpuld @lain @dwaltiz a few things:
- update pleroma
- update postgresql to the newest version (this is actually much easier and faster than i thought and you don't need to copy the database over)
- run migrations
- run vacuum analyze
I also scaled up the machine it's running on, but that didn't help, and now that i did the other things it mostly idles and doesn't go beyond 6gb ram usage, so i'll probably scale back.In conversation from pleroma.soykaf.com permalink