186

Mastodon security update: every version prior to today's is vulnerable to remote user impersonation and takeover (github.com)

submitted 7 months ago by [email protected] to c/[email protected]

17 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] [email protected] 2 points 7 months ago

private repo they commit to and build from

This isn't possible with Ruby and Mastodon. The only way to distribute the patch is to reveal the changes to the source. FWIW, compiling the fix is still just an obfuscation method, one can still just diff the binaries and see what changed (see: reverse-engineering Windows vulnerabilities in updates).

At best, you can release it with a bunch of unrelated and obfuscating changes, but putting work into doing that is further delaying simply getting the fix released.

[-] [email protected] 1 points 7 months ago

Indeed but we’ve observed that compiled binaries still take actors that little bit longer (~24h) before developing exploits which, when you’re trying to buy time for users to patch, is invaluable.

Hopefully we won’t see widespread exploration before patches are applied as I can imagine a lot of instances’ infrastructure isn’t architected and managed with the level of care you see from larger orgs given how many are hobbyist efforts.

Federated services don’t need negative press this early on. It’ll only serve Meta and enterprise-created and controlled services.

this post was submitted on 01 Feb 2024

186 points (99.5% liked)

Fediverse

17535 readers

48 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

What is the fediverse?
- Short ver.
- Full ver.
Fediverse Platforms
How to run your own community

founded 4 years ago

MODERATORS

[email protected]