Announcements

711 readers

78 users here now

lemmy.zip annoucements

The same rules as the main instance apply here.

founded 2 years ago

MODERATORS

Demigodrick@lemmy.zip

Sami@lemmy.zip

v4ld1z@lemmy.zip

Important - Piefed.zip down due to security maintenance (lemmy.zip)

submitted 9 hours ago* (last edited 9 hours ago) by Demigodrick@lemmy.zip to c/announcements@lemmy.zip

10 comments fedilink hide all child comments

Hello All,

Due to the incredibly irresponsible disclosure of a security vulnerability for Piefed, we've had to take Piefed.zip offline until a fix can be put in place.

I'll update more once I have more information.

Many thanks

Demigodrick

you are viewing a single comment's thread
view the rest of the comments

[–] fiat_lux@lemmy.zip 12 points 6 hours ago

A few months ago I mentioned in a thread about Piefed there were questionable system design choices that indicated that other parts of the system should be carefully examined for how they’re handling and sanitizing input. I'm assuming someone discovered one of the places that this was actively exploitable.

From what I've seen of the code, although Python is not my specialty, it might be worth delaying reactivation until it can demonstrate that it is at least somewhat resistant to the OWASP Top 10, especially Injection.

Irresponsible disclosure is annoying, but vastly better than discovery and exploitation by those who aren't going to disclose at all.