this post was submitted on 01 Feb 2024
191 points (99.5% liked)

Fediverse

21025 readers
43 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 5 years ago
MODERATORS
all 20 comments
sorted by: hot top controversial new old
[–] redcalcium@lemmy.institute 29 points 2 years ago (2 children)

This advisory will be edited with more details on 2024/02/15, when admins have been given some time to update, as we think any amount of detail would make it very easy to come up with an exploit.

But the commit to fix insufficient origin validation is already visible right there in the repo?

[–] losttourist@kbin.social 31 points 2 years ago (1 children)

Without a published POC there's a slightly longer window before clueless script kiddies start having a go at exploiting the vulnerability, though.

[–] fartsparkles@sh.itjust.works 6 points 2 years ago (1 children)

Script kiddies aren’t the first ones to take advantage of vulns, threat actors are.

[–] jmcs@discuss.tchncs.de 8 points 2 years ago (1 children)

That doesn't mean you shouldn't try to contain the blast radius.

[–] pelespirit@sh.itjust.works 3 points 2 years ago (1 children)

Could you explain what you're saying in common language?

[–] cypherpunks@lemmy.ml 23 points 2 years ago* (last edited 2 years ago) (2 children)

The lack of details in the advisory is only a minor impediment for a malicious person who wants to figure out how to implement their own exploit for this vulnerability. Anyone can read the patch that fixes it and figure it out.

TLDR: if you run your own instance, update it ASAP. If an instance you rely on hasn't updated yet, consider asking its admins to do so. And if they don't update it soon, you might want to reconsider your choice of instance.

[–] elvith@feddit.de 7 points 2 years ago

And if they don't update it soon, you might want to reconsider your choice of instance.

The advisory went up about 4h ago. About 3h ago, my instance admin sent out an announcement that the patch had been applied. That was before I even heard about the issue.

Nice work :)

[–] AngieStone@mastodon.social 6 points 2 years ago (1 children)
[–] androidul@lemmy.ml 1 points 2 years ago
[–] desmosthenes@lemmy.world 5 points 2 years ago

hope for the best; plan for the worst

[–] steter@mastodon.stevesworld.co 3 points 2 years ago

@cypherpunks Upgrading went smoothly.

[–] Atelopus-zeteki@kbin.run -5 points 2 years ago (1 children)

Hmm, so if one is on iOS, the current version 2023.16, and is vulnerable. Take note apple / mac folx.

[–] cypherpunks@lemmy.ml 20 points 2 years ago (1 children)

No, this is a server-side vulnerability. Clients do not need to update, instances do.