this post was submitted on 10 Jul 2023
379 points (93.0% liked)

Selfhosted

39159 readers
379 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
379
Suboptimal ways to respond to a public security incident (lemmy.stuart.fun)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
87 comments fedilink hide all child comments
 

This issue is already quite widely publicized and quite frankly "we're handling it and removing this" is a much more harmful response than I would hope to see. Especially as the admins of that instance have not yet upgraded the frontend version to apply the urgent fix.

It's not like this was a confidential bug fix, this is a zero day being actively exploited. Please be more cooperative and open regarding these issues in your own administration if you're hosting an instance. 🙏

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 120 points 1 year ago (44 children)

IMO it’s not a good idea to be discussing attack vectors publicly when a number of other instances are unpatched and the exploit has been in the wild for less than a day.

I agree that admins need to work together, but discussing it in public on Lemmy so soon after the attack isn’t the way. There exists a Matrix channel for admins, that’s where this type of thing should go.

[–] [email protected] 2 points 1 year ago (15 children)

This is my take on it. I am running Lemmy in a docker using the dessalines image. I hope that there will be an update come this afternoon.

[–] [email protected] 10 points 1 year ago (4 children)

There's already an update available, but it's for lemmy-ui not lemmy. Just update the tag to 0.18.2-rc.1 and you'll have this fix.

[–] [email protected] 1 points 1 year ago

According to https://github.com/LemmyNet/lemmy/commits/main, the bug was fixed with https://github.com/LemmyNet/lemmy/commit/00f9f79a44887869dcdc3fe5bd1dabbbdc080cec and is part of release 0.18.1, right? I usually wouldn´t recommend to install the release candidate, except for testing, but since this is still 0.X anyway...

load more comments (3 replies)
load more comments (13 replies)
load more comments (41 replies)