Show Navigation

Public
- Public
- Network
- Groups
- Popular
- People

Conversation

Notices

:abunhdhappyhop: :abunhdhappy: :abunhdhop: :abunhd: :abunhdhappyhop: :abunhdhappy: (kaniini@pleroma.site)'s status on Wednesday, 22-Aug-2018 21:44:36 EDT :abunhdhappyhop: :abunhdhappy: :abunhdhop: :abunhd: :abunhdhappyhop: :abunhdhappy:

pleroma folks: update your instances NOW.

there is a serious denial of service vulnerability that is trivial to leverage: if an attacker sends an otherwise valid Activity to us without a valid ID, pleroma will wind up inserting a node into it's object graph with an empty ID.

if you cannot rebase your tree on latest, the necessary patches are here: https://git.pleroma.social/pleroma/pleroma/merge_requests/286.
In conversation Wednesday, 22-Aug-2018 21:44:36 EDT from pleroma.site permalink
Attachments
1. Invalid filename.
  
  security: activitypub: reject activities with bogus ids (!286) · Merge Requests · Pleroma / pleroma
  
  from GitLab
  
  An attacker can damage Pleroma's object graph in some limited cases by sending activities with an invalid ID. This can lead to a denial of service (DoS) condition. We mitigate...

Jonkman Microblog is a social network, courtesy of SOBAC Microcomputer Services. It runs on GNU social, version 1.2.0-beta5, available under the GNU Affero General Public License.

All Jonkman Microblog content and data are available under the Creative Commons Attribution 3.0 license.

Switch to desktop site layout.