262
Mastodon security update: every version prior to today's is vulnerable to remote user impersonation and takeover (github.com)
submitted 11 months ago* (last edited 11 months ago) by otter@lemmy.ca to c/fediverse@lemmy.world
18 comments fedilink hide all child comments

If your instance is not up to date (see footer), you can pass this along to your admins to check

you are viewing a single comment's thread
view the rest of the comments
[-] jonne@infosec.pub 65 points 11 months ago

I wonder if the companies that forked mastodon (like truth social) will bother to update. I can see someone posting stuff as a former president with this flaw.

[-] roguetrick@kbin.social 25 points 11 months ago

Eh, stuff like truth social doesn't federate with anything anyway, so unfortunately this isn't a vulnerability for them.

[-] jonne@infosec.pub 10 points 11 months ago

Has it been confirmed this is a federation bug?

[-] skullgiver@popplesburger.hilciferous.nl 25 points 11 months ago

Has it been confirmed this is a federation bug?

Based on this commit, which fixes the vulnerability, the bug seems to lie within the ActivityPub receive logic, specifically validation of remote resources.

[-] jonne@infosec.pub 5 points 10 months ago

Oh great, thanks.

this post was submitted on 01 Feb 2024
262 points (100.0% liked)

Fediverse

28746 readers
56 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 2 years ago
MODERATORS
ruud@lemmy.world
Xylinna@lemmy.world
MrCenny@lemmy.world
TragicNotCute@lemmy.world
automodbeta@lemmy.world
woelkchen@lemmy.world