Notices by r (r@freesoftwareextremist.com), page 6
-
Patch for the vulnerability in bloat that allows a malicious upstream server (Pleroma/Mastadon) to return crafted JSON data in the response of an API called by bloat to make it go out of memory and cause Denial of Service.
The attack could be performed by a malicious user by connecting to a malicious server. Technically, it doesn't have to be a Mastodon compatible server, any HTTP server that'd respond to the HTTP paths requested by bloat could work.
bloat instances running in the single instance mode are not affected assuming the specified instance doesn't serve the malicious response.
The patch applies a limit on the size of the response returned by the server, currently set to 8MiB.
https://git.freesoftwareextremist.com/bloat/commit/?id=ad38855261dca802439922f71408e2b08e7c10ea
-
Tagging people who I think run bloat and were asking for clarification in the announcement thread.
@p @w @Moon @mint @kirby @dcc
-
@w You know, your post caused more downtime than the vulnerability could ever have. Party because of how you worded the post and not clarifying who are affected. When I did clarify a little bit, you asked me to delete the post, 3 times actually, despite me saying that deletes don't work. We didn't agree to spread misinformation and telling everyone to stop using it.
I didn't like the idea of having a "disclosure timeline" either. bloat is a small project, no where close to Pleroma and even Pleroma doesn't announce a vulnerability 2 days before the fix/actual disclosure. But you kept insisting on it, so I agreed to it thinking it's not going to hurt anyone.
>Now I have to clean up the mess on my end and explain what happened to my users
If your users are only "users", then you know they're not affected and if they do run their own public bloat instance, you can just privately share the patch with them.
>please let me know so I can publish the patch early
I think that'd be the best because most people who run public instances of bloat are already aware of the issue and are simply waiting for a fix.
Despite all, I'm still grateful for you and thank you for discovering the issue and reporting it to me.
-
@romin You know what's worse than Mastadon scopes? The copy scope functionality. And even worse are the people who hijack a normal thread with private scope.
-
@coolboymew I like them all for different reasons, but I have to say, both of the songs by shinkuraizu in the new mini album are excellent.
-
@coolboymew
カレイドスコア - kareidosukoa
キャッチュ - kyacchu
シンクライズ - shinkuraizu
-
@hakui @coolboymew That's orekix.
-
@coolboymew So this is how kyacchu was formed.
-
@coolboymew So cute.
-
@wakarimasen Does that mean there's also a neko tippii?
-
@wakarimasen I have to say, these new chapters are really tempting. I should spend more time with nihongo so that I can start reading it again.
-
@wakarimasen I want to read the printed version.
-
@wakarimasen I'd lose the motivation for learning nihongo if I read the eigo version.
-
@prettygood @Suiseiseki Client side validation has its own use-case.
-
@Suiseiseki Yes, but that means you have to submit the form and the whole point of the required attribute is that it works on the client side.
-
@Suiseiseki No, I was asking about conditional validation based on existing form input data, as shown in the OP screenshot. The 3rd textarea input would only have a required attribute when users selects "No" in the 2nd input. As far as I know, it's not possible without using JS.
-
@Suiseiseki @Zerglingman Wait, is there actually a way to do conditional validation with HTML?
-
@coolboymew gkgkgkgk.
-
@coolboymew Although, I had thought that rairapusu would be the oneechan.
-
@coolboymew See, I told you.
r
- Tags
-
- ActivityPub
- Remote Profile
Statistics
- User ID
- 3653
- Member since
- 22 Dec 2022
- Notices
- 182
- Daily average
- 0
r
All 076萌SNS content and data are available under the