Misskey and forks are vulnerable. > The recent CVE-2024-29510 vulnerability (Remote ...

Taggart :donor: /

npub14xx…cfzw

2024-07-03 16:19:11

in reply to nevent1q…5dan

Misskey and forks are vulnerable.

> The recent CVE-2024-29510 vulnerability (Remote Code Execution in Ghostscript) has been found to be exploitable against Sharkey and other Misskey-based software under specific environments. This is not a vulnerability in Sharkey itself, but in an optional dependency that may be installed as a system library. The official Sharkey docker images are not vulnerable, but bare-metal installations may be affected.
>
> An instance may be vulnerable if:
> - libgs and imagemagick are both installed.
> - libgs is older than 10.02.1, 10.01.2, 9.55.0, or 9.50.
>
> __To check the version of libgs:__
> - Execute dpkg -l | grep -P "ii\s+libgs\d".
> - If no results are found, then libgs is not installed and not vulnerable.
> - If the third column starts with 10.02.1, 10.01.2, 9.55.0, or 9.50, then libgs is patched and not vulnerable.
> - Otherwise, libgs is vulnerable.
>
> To patch the vulnerability:
> - Update libgs to the latest available version. The instructions will vary between environments.

Author Public Key

npub14xx8pgqrkzr5wg8afzflp2724gjyvyxurhrfyk9739fu892p2evqhwcfzw

Seen on

wss://relay.nostr.band

Show more details

Published at

2024-07-03 16:19:11

Kind type

1 Short Text Note

Event JSON

{ "id": "d35d743dd38ffea344345cde3c9ba939418aec3e43bab5760740598a94da12ff", "pubkey": "a98c70a003b0874720fd4893f0abcaaa244610dc1dc69258be8953c395415658", "created_at": 1720023551, "kind": 1, "tags": [ [ "e", "27c97f4cfe577666c92a26ff79e76aa28fb6809bfe6c6e3a6e0239e604878c9d", "", "reply" ], [ "p", "fe31a74ce7a735689686a4a8bdb765a8f4db945d91b67412c75058a82a51cffd" ], [ "p", "a98c70a003b0874720fd4893f0abcaaa244610dc1dc69258be8953c395415658" ], [ "e", "604328cfb07d5cd54dcd56e97d2f15c2807dde604a6ed71bbe28fdbadd697cf3", "", "root" ], [ "proxy", "https://infosec.town/notes/9v9lxbvmxfkbqv5y", "activitypub" ], [ "L", "pink.momostr" ], [ "l", "pink.momostr.activitypub:https://infosec.town/notes/9v9lxbvmxfkbqv5y", "pink.momostr" ], [ "expiration", "1722616211" ] ], "content": "Misskey and forks are vulnerable.\n\n\u003e The recent CVE-2024-29510 vulnerability (Remote Code Execution in Ghostscript) has been found to be exploitable against Sharkey and other Misskey-based software under specific environments. This is not a vulnerability in Sharkey itself, but in an optional dependency that may be installed as a system library. The official Sharkey docker images are not vulnerable, but bare-metal installations may be affected.\n\u003e \n\u003e An instance may be vulnerable if:\n\u003e - libgs and imagemagick are both installed.\n\u003e - libgs is older than 10.02.1, 10.01.2, 9.55.0, or 9.50.\n\u003e \n\u003e __To check the version of libgs:__\n\u003e - Execute dpkg -l | grep -P \"ii\\s+libgs\\d\".\n\u003e - If no results are found, then libgs is not installed and not vulnerable.\n\u003e - If the third column starts with 10.02.1, 10.01.2, 9.55.0, or 9.50, then libgs is patched and not vulnerable.\n\u003e - Otherwise, libgs is vulnerable.\n\u003e \n\u003e To patch the vulnerability:\n\u003e - Update libgs to the latest available version. The instructions will vary between environments.", "sig": "261a4453dea43c15004542d378a6a76b7a773090167ba5da4a79fc52ddb4ca9ad2aa5f8301d447a50e3cc95e23ff83eb6e48e527e8eec0b6b38442b2a2add4b6" }