So @pixelfed still hasn't fully acknowledged nor fixed the security vulnerability from earlier this year, despite multiple people asking for updates over the past ~6 months.
ActivityPub Test Kategorie
13
Beiträge
6
Kommentatoren
2
Aufrufe
-
So @pixelfed still hasn't fully acknowledged nor fixed the security vulnerability from earlier this year, despite multiple people asking for updates over the past ~6 months.
Consider this friendly public encouragement to finish the fix and publish the security advisory
@thisismissem@hachyderm.io Hey @dansup@mastodon.social, you need to fix this, dude.
-
@thisismissem@hachyderm.io Hey @dansup@mastodon.social, you need to fix this, dude.
@deadsuperhero @thisismissem the fix was shipped months ago, thanks for spreading misinformation!
-
@deadsuperhero @thisismissem the fix was shipped months ago, thanks for spreading misinformation!
@dansup @deadsuperhero so you shipped followers collection synchronisation? And you published the CVE? Because to my knowledge you haven't done either.
-
@dansup @deadsuperhero so you shipped followers collection synchronisation? And you published the CVE? Because to my knowledge you haven't done either.
@dansup @deadsuperhero unless I'm missing something? https://github.com/search?q=repo%3Apixelfed%2Fpixelfed%20Collection-Synchronization&type=code
-
@dansup @deadsuperhero unless I'm missing something? https://github.com/search?q=repo%3Apixelfed%2Fpixelfed%20Collection-Synchronization&type=code
@dansup @deadsuperhero no published vulnerability report for it either:
-
So @pixelfed still hasn't fully acknowledged nor fixed the security vulnerability from earlier this year, despite multiple people asking for updates over the past ~6 months.
Consider this friendly public encouragement to finish the fix and publish the security advisory
thisismissem@hachyderm.io what was this in reference to, the one where Pixelfed allows anyone on a server access to a followers only post if one person on that server is a follower?
-
@julian yeah, that one. He prevented it from being exploited further, but because pixelfed doesn't sync its remote account followers, anyone who managed to exploit it before hand is still able to exploit it, because pixelfed erroneously added follower records locally without there being an Accept(Follow). Sync would purge those invalid records
And the CVE / Security vulnerability report still isn't published.
-
@deadsuperhero @thisismissem the fix was shipped months ago, thanks for spreading misinformation!
@dansup @deadsuperhero @thisismissem so are Pixelfed servers not patching or what?
Or is this just another case of Mastodon finding ways to punch down other software in the ecosystem? -
@dansup @deadsuperhero @thisismissem so are Pixelfed servers not patching or what?
Or is this just another case of Mastodon finding ways to punch down other software in the ecosystem?@feld @dansup @deadsuperhero no, it's than Dan only fixed part of the problem, which was preventing it from being exploited further.
He hasn't implemented follower collection-synchronisation in order to remove any erroneous follower records from pixelfed servers (where pixelfed thinks a follower is approved, but the target server doesn't)
Additionally, he's not released the security vulnerability report.
He's been saying for months to multiple people he's working on it or about to release it, but it's been, what, 6 months? Hence the very public nudge to finally fix this vulnerability once and for all.
-
@feld @dansup @deadsuperhero no, it's than Dan only fixed part of the problem, which was preventing it from being exploited further.
He hasn't implemented follower collection-synchronisation in order to remove any erroneous follower records from pixelfed servers (where pixelfed thinks a follower is approved, but the target server doesn't)
Additionally, he's not released the security vulnerability report.
He's been saying for months to multiple people he's working on it or about to release it, but it's been, what, 6 months? Hence the very public nudge to finally fix this vulnerability once and for all.
thisismissem@hachyderm.io could a hot fix simply be to have Pixelfed remove all follower records and re-associate them on demand?
Talking out of my ass here though.
