this post was submitted on 24 Jan 2024
115 points (100.0% liked)

Announcements

23301 readers
34 users here now

Official announcements from the Lemmy project. Subscribe to this community or add it to your RSS reader in order to be notified about new releases and important updates.

You can also find major news on join-lemmy.org

founded 5 years ago
MODERATORS
 

The full description of the bug is in the linked issue above, but the short version is:

Our CreatePrivateMessageReport endpoint had a bug that would allow anyone, not just the recipient, to create a report, and then receive the details about private messages.

This allowed anyone to iterate over ids, creating thousands of reports in order to receive details about private messages.

Since those reports are visible to admins, it would be easy to discover if someone was abusing this, and luckily we haven't heard of anyone doing so on production instances (so far).

If you haven't, please be sure to upgrade to at least 0.19.1 for the fix.

Many thanks to @Nothing4You for finding this one.

you are viewing a single comment's thread
view the rest of the comments
[–] Blaze@discuss.online 7 points 9 months ago (2 children)

19.0 and 19.1 broke federation.

19.2 restored federation.

19.3, released this week, fixed an authentication issue.

Seems you are either non-functional or insecure

[–] dessalines@lemmy.ml 16 points 9 months ago* (last edited 9 months ago) (1 children)

Those didn't completely break federation, they just had some issues with a few services besides lemmy. They're addressed now, but federation compatibility will always be an ongoing task as new services get added and existing ones change their activitypub responses.

[–] Blaze@discuss.online 5 points 9 months ago

Happy to be past that indeed

[–] gregorum@lemm.ee 1 points 9 months ago