Alex Gleason on Nostr: Pleroma is full of security vulnerabilities because OnlyFans paid people on Upwork to ...
Pleroma is full of security vulnerabilities because OnlyFans paid people on Upwork to implement a bunch of features nobody wants.
Have you ever tried downloading an emoji pack from a server? No? Well that's the vulnerable code.
Anyway, hopefully everyone is using s3 for uploads by now and has the dedupe filter enabled.
Patch is being merged into Rebased now: https://gitlab.com/soapbox-pub/rebased/-/merge_requests/263
A patch was ready yesterday but I figured I'd wait til after it landed upstream first.
Have you ever tried downloading an emoji pack from a server? No? Well that's the vulnerable code.
Anyway, hopefully everyone is using s3 for uploads by now and has the dedupe filter enabled.
Patch is being merged into Rebased now: https://gitlab.com/soapbox-pub/rebased/-/merge_requests/263
A patch was ready yesterday but I figured I'd wait til after it landed upstream first.
quoting note1ch0…p442A new Pleroma security release is out that you should install immediately. If you can not do so for some reason, activate filename anonymization.
Thanks to feld (npub1yck…ujmw) and Haelwenn /элвэн/ :triskell: (npub1ysu…2jyl) for handling this so quickly!
https://pleroma.social/announcements/2023/08/04/pleroma-security-release-2.5.3/