Napping.Synth.Downloadpixelfed instance admins: Please update pixelfed to v0.12.5 asap. The version contains fixes for serious security vulnerabilities that I reported.
I will disclose further details about the vulnerabilities in about 24 hours.
:boost_requested:
 42 comments
 @fionafokus@mystical.garden Side-question here, since I'm not very familiar with the code.  @fionafokus It's and interesting read, and yet another example of lack of testing of the product before release. I'm not saying all bugs would be eliminated but there are many, some very trivial, that would never have made it through any kind of testing. Also disappointing that common practice was not adhered to in the way security reporting/fixing was handled by the developer. Exposing risk to the community unnecessarily. Great article.  (sort of side question, but my curiosity is sparked) obviously for something with this many users, they should not rely on just their users especially for this flavour of issue.  @fionafokus @daj @draNgNon there is that activitypub test suite which also received sovereign tech fund money weee oh it ... didn't cross my mind someone would put software out there for others to use and contribute to without automated testing to ensure it would continue to enjoy being functional I was interpreteing "any kind of testing" to mean more like QA (or I guess in the UK, they call is QC)  @draNgNon @daj @fionafokus yeah technically a good idea but based upon my own experience trying to work with that project - it falls apart even earlier. To give you a lil example. The frontend code used to be compiled and pushed into the repo by the one and only dev of this. Combining this with a beoken build process on "main" for over half a year - there was a lot of complied frontend code checked in and that was actually not matching the source alongside... ...i'm a release engineer. these problems, i understand and mentally associate with startup culture, which i guess is appropriate here.  @fionafokus thank you for your work here, and your attempts to limit the damage by responsible disclosure, and the excellent writeup. I agree that there's an important discussion about the impact of this pattern of reckless behavior (and the willingness of so many cis male fediverse influencers to give it a pass and encourage people to donate to a project with this track record).  @thenexusofprivacy @fionafokus I've seen people trying to frame valid criticism against him as homophobia... it's fucking insane.  @fionafokus@mystical.garden  @fionafokus isn't that a fundamental problem? what stops a person who wants to follow people without their consent from running their own server? (... my suspicion is that the desire of many fediversians to be visible and invisible at the same time is one of the internal contradictions that means other platforms win) @UP8 @fionafokus that requires that that new instance has at least one account which was approved by the private account owner - the problem is that shared instances where one user has successfully requested a follow to a private account are then responsible to enforce which of their users can an can not see these posts (hope that explains it)  @fionafokus@mystical.garden Wow, that was fumbled about as much as humanly possible. I am impressed.  @fionafokus given the vuln remains in 0.12.4, couldn't a malicious actor simply setup an instance and go to town? To me it feels as though that specific version should be blacklisted from federation then?  @fionafokus Thank you. It's clear @dansup need more active co-maintainers. The project(s) suffer from the well known single-hero-dev problem.  @fionafokus hmm, side-question, what makes it bad about publishing patches? or: why does coordinated disclosure exist?(?) why does it matter that he published patches instead of following a disclosure timeline, we thought that was only a thing to avoid pissing off corporate entities/avoid lawsuits and CFAA charges?  It is already explained in the blog post. If you notify instance admins in advance, without revealing details about the vulnerability, the time window in which the bug can be exploited should be shortened.  @SoniEx2 @fionafokus The reason to have some sort of timeline/coordination is that, once the fix is public the problem is (often) obvious to attackers. Saying “we will release a fix for a serious issue at this time” allows everyone who needs to patch it to be ready, so they can minimize the time they’re vulnerable.    That is so unfortunate. And I was thinking seriously about opening up another instance on pixelfed to allow for extended essays. Is there a safer alternative out there that allows for more than 500-character toots and 4 images?? @AnthonyJK but cant you just increase the character limit in any standard masto instance? That was configurable to my knowledge - just the default being 500... I can't on mine, because I'm on a self-hosted paid monthly subscription plan via masto.host, and they don't allow you that privilege of increasing toot character length. I would have to sign with a separate instance from another platform like Lenny in order to have more room to toot.   @fionafokus How can I check if all pixelfed instances I ever allowed followers from have updated their software? It looks like I can't even export a list of my current followers in Mastodon...   @fionafokus if i had a nickel for every software i use that required a new version of PHP in a minor/patch updat, i'd have two nickels which isn't a lot but breaking changes go into major releases jfc  Thx a lot for making this public and for your dedication and effort. Thx again!   @fionafokus i was sure this was just a shitpost when i saw this yesterday. like, you noticed there’s a new version quietly released and posted this as a joke because that’s def not how such a project would handle a security release
 |
@fionafokus
Ping @doktorzjivago