nostr:npub1ysufjjd485tftr4wy2a83fqyqvtfq0yn820gl8vl6hcsdz8uv2hskx2jyl how do i switch to pleroma upstream repository (git.pleroma.social rather than git.asbestos.cafe) i give up i dont want to run my own fork and have to understand git
nostr:npub1sl8kylr2n9gpnfdg5k5jv9dwda5xm9chuyt73gz4mcl88q5fa0tser5emg What’s git remove -v output?
@pomstan@xn–p1abe3d.xn–80asehdb /api/v1/pleroma/remote_interaction (public) is a known way.
And I’m not a full-disclosure-on-day0 person so if you want exploit details it’ll have to wait until I can be reasonably sure people have their software fixed.
At least we are now in the same company as Postgres who also has this vulnerability in 2012 🥲
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489
nostr:npub1yck44z5zqxmwpqzqs75ay6ffjdw843ng9p6mz0lzfff3fgz2djlsngujmw >libxml2
Uuuh… let's say I'm glad I don't have untrusted/remote XML in my other software.
And it's kind of ironic that one of the reasons Pleroma doesn't adopt JSON-LD is due to the external entities issue among other broken designs of JSON-LD only to get hit via a worse version right in the XML library that's part of Erlang, even though XML doesn't requires the bad design in question.
nostr:npub1yck44z5zqxmwpqzqs75ay6ffjdw843ng9p6mz0lzfff3fgz2djlsngujmw It should at least be documented with a fat warning, I didn't even notice a warning about it when skimming through erlang docs…
(And I'm not sure where xmlerl source repo is, apparently not https://github.com/erlang/otp so good luck sending patches…)
Low-key wonder if there's a hall of shame for XML, JSON-LD, maybe YAML, … libraries that grab external ressources by default.
nostr:npub1vseykxgxuz8ver5c7g0ddhcpv8erqy3v9cfvgcuqdygdnnpd488s6av7q2 Well likely somehow wouldn't have been for me so thanks!
yo, nostr:npub1ysufjjd485tftr4wy2a83fqyqvtfq0yn820gl8vl6hcsdz8uv2hskx2jyl you need to do --chown=pleroma in the Dockerfile for the config copy and set more restrictive permissions on confix.exs in the repo
nostr:npub1vseykxgxuz8ver5c7g0ddhcpv8erqy3v9cfvgcuqdygdnnpd488s6av7q2 I know, could you send a patch if you have the fix for this? (I despise docker with passion…)
nostr:npub1532ksva0y353dymx4pd07rkm4jaqp7t5raguq8k27luxl6ajncuqvp5ffy Same thing there I guess, I removed the entire notifications system on my machines, only thing that produces sound here is my shell with quiet and short beeps, and there's no popups.
nostr:npub1apwsfvk9nxrgpjhndn2x9lerasscsh5na6qv0sjqf7l060am28csr29mqh A: Why does the United States, an American country, speak Spanish, an European language instead of their own native language?
Last 2 security releases makes me want to do an AppArmor profile for Pleroma so at least on linux machines with it, it can be contained to Pleroma files for sure.
#Pleroma Security Release 2.5.4
Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitrary files from the server's filesystem.
https://pleroma.social/announcements/2023/08/05/pleroma-security-release-2.5.4/
Also it was reported by nostr:npub1j3pf2vg36vgxtmxjxuxcu5ynh5krrvl55qmy9rfx98d8pp4cawcsvzm7q2 so thanks a lot!
#Pleroma Security Release 2.5.4
Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitrary files from the server's filesystem.
https://pleroma.social/announcements/2023/08/05/pleroma-security-release-2.5.4/
nostr:npub1emn79m7cwed95v770tavrp98xpkavds5f3d7zjf8wzvuq7q22yjqncrkds And no possibility of putting your own router instead of their stuff?
nostr:npub1pmccr6kdukw4qj2lnlsxh8xetunxyr73xdkr9duvmyhl0hr6fdss3nac3p Hello from Pleroma via regular posts o/
Love the idea of building 4 binaries on a potato arm machine…
nostr:npub1ysufjjd485tftr4wy2a83fqyqvtfq0yn820gl8vl6hcsdz8uv2hskx2jyl i’ve went to some fancy restaurants where very handsome dapper men address you by name and give very good service; it’s pretty much the same thing but the food is actually good
nostr:npub19evw3m5663gjcg4cnaehfx42uxlq49kj6mxj06an30hz3e5navwq4zs343 I meant one that's about as lewd as a maid cafe.
nostr:npub19evw3m5663gjcg4cnaehfx42uxlq49kj6mxj06an30hz3e5navwq4zs343 What if you would go to a butler cafe?
nostr:npub1srdafpzsnx8lfzyhttuk24tnxwpqhsmxtavs4qvwrpufx8w662wstgg44z Meanwhile I'm pretty sure a bunch of billionaires just work in their fucking mansion without having to leave it all the time.