Conversation
Notices
-
:abunhdhappyhop: :abunhdhappy: :abunhdhop: :abunhd: (kaniini@pleroma.site)'s status on Thursday, 23-Aug-2018 10:44:19 JST :abunhdhappyhop: :abunhdhappy: :abunhdhop: :abunhd: pleroma folks: update your instances NOW.
there is a serious denial of service vulnerability that is trivial to leverage: if an attacker sends an otherwise valid Activity to us without a valid ID, pleroma will wind up inserting a node into it's object graph with an empty ID.
if you cannot rebase your tree on latest, the necessary patches are here: https://git.pleroma.social/pleroma/pleroma/merge_requests/286.- Vaporwave Singapore and Trolli Schmittlauch ???? repeated this.