Hi everyone,
Stephan Schulz, (s-f-s on Github) found a security hole in the way D* sends public messages. I patched it shortly after he mentioned it to me a few weeks ago, and Raven24 and I have spent a good amount of hours verifying the fix and making sure it did not break federation. I just pushed it to the master branch, so for podmins who have not received the update, please pull ASAP.
The basic issue was that public messages were verifying signatures of messages, but not actually checking that the signature matched the object's creator. This means that a malicious pod runner could manufacture malicious messages which sent bogus posts and deletion requests. This only affected public messages, as this check is in place for the private part of the validation phase. This is now fixed in the master tip on diaspora/diaspora with
190fceaf5ccda14c93292a4a8eb1c24efd0c2939 .
I want to thank Stephan Schulz again about being diligent about reporting the issue, and taking the time to verify that the patch works. I also want to thank Florian (Raven24) for spending considerable time improving the federation logger and testing the patch for me. We lucky to have people like Stephan and Florian helping us out.
Thanks,
Maxwell