Conversation

Notices

1. :blank: (i@declin.eu)'s status on Saturday, 21-Dec-2024 00:05:00 JST :blank:
   https://pleroma.social/announcements/2024/12/19/pleroma-release-2.8.0/ isn't even worth a public announcement on the network it seems like
   •  (mint@ryona.agency)'s status on Saturday, 21-Dec-2024 00:04:58 JST 

     in reply to
     @i Unexpected. Wasn't someone implying some super secret security fixes?
   •  (mint@ryona.agency)'s status on Saturday, 21-Dec-2024 00:05:47 JST 

     in reply to

     • 
     @i Ah, there it is. Network-wide PerniaPolicy, this might be fun.
     https://git.pleroma.social/pleroma/pleroma/-/commit/b51f5a84eb7e2f3acb2d7fed54213a9680983bce
   •  (mint@ryona.agency)'s status on Saturday, 21-Dec-2024 00:15:55 JST 

     in reply to
     @i Scope severely limited by the fact no one knows how to use c2s API.
   • :blank: (i@declin.eu)'s status on Saturday, 21-Dec-2024 00:15:56 JST :blank:

     in reply to

     • 
     @mint yup
   • :blank: (i@declin.eu)'s status on Saturday, 21-Dec-2024 01:33:41 JST :blank:

     in reply to

     • 
     @mint thankfully it's as easy as curling an endpoint
     
     https://git.pleroma.social/pleroma/pleroma/-/issues/2937
      likes this.
   • munir (munir@fedi.munir.tokyo)'s status on Sunday, 22-Dec-2024 04:53:45 JST munir

     in reply to

     • 
     @mint @i What's that do?
   •  (mint@ryona.agency)'s status on Sunday, 22-Dec-2024 04:53:45 JST 

     in reply to

     • munir
     @munir @i Commit description is fairly self-explainatory, there was no object attribution check when creating Update activities with an AP C2S API no one uses, meaning any local user supposedly could edit anyone else's post on that instance. "Supposedly" because I couldn't replicate it (sending seemingly valid Update activities even to your own posts do nothing), and it wasn't marked as a security fix, which makes me think it never worked in the first place and thus can't be exploited.