diaspora* security release 0.5.7.1
14 views
Skip to first unread message
Dennis Schubert
Mar 8, 2016, 5:17:12 PM3/8/16
to diaspora...@googlegroups.com, diaspo...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
We just released diaspora* version 0.5.7.1 which disables post
fetching for relayables. Due to an insecure implementation, fetching
of root posts for relayables could allow an attacker to distribute
malicious/spoofed/modified posts for any person.
Disabling the fetching will make the current federation a bit less
reliable, but for a hotfix, this is the best solution. We will
re-enable the fetching in 0.6.0.0 when we moved out the federation
into its own library and are able to implement further validation
during fetches.
# Updating
Please update as soon as possible. Update instructions can be found as
usual at https://wiki.diasporafoundation.org/Updating.
- --
Dennis Schubert
http://schub.io
xmpp:dens...@dsx.cc
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJW309iAAoJEFoDBL6nlm1+MyIQAK89J46bhGWtG66bMF5oDJr0
0SJEjrlyHdPlDX1LYvlvc4gJNmaL9Zkfk9Q4WOrz9eQza9YfFQdUOTvJXyhFm6EJ
9XhBX1vyawMgOKEUHSwsCOPCeIDeXyE930UZDVsYKJvNF/EDgkmZxJsTSmINclJK
tszVQKS0njQDvFwJTH21A1dtEPjVKCG/naK0Iyk7rh8oGBhH3Y5yViGFdOdEpp5L
vF5niIAn76iECP39QYn2oCeeutMKOtSTGVjRrrIxOA9owIcEQBYK0+r1PPwBmlRQ
C8WGt2BtHmN5ahuhJU6uUUVFuoTREOfAYc9zQb7oQXWXd7rnJmnvYel07utgR4Up
j38EmxjJOUAYU7OzgmJP+j1nw8WAvY38cN7uoE77iiQMWVjngRt61PFyCBasbGDV
vgPcUX4EOIQHVl7jl8GhIpgoJUwisgTH2hdYGkuJpfX04m1Cm/oHP16q2us1fF9s
VS7P1VMoqpbgDZrPzF3LB3JMqI+VD98d8xf6Nkul55ougkuLaZ06iAFkfhas1Ses
q3xzUWbUKiWgF1QEQPICr/jC+spP/Z8Cc0jfGfriSZibG6Ix20OUhxIkA2DD/2Th
jsUTyeBUYkRDnxP4ewUUQUrmfFPbCcBWd8VJRcHQj+iY5AlL4TSbU5Lcrw9X8Ijc
svbNG7ZOOauhKGi7KpdS
=3mxj
-----END PGP SIGNATURE-----
Hash: SHA256
We just released diaspora* version 0.5.7.1 which disables post
fetching for relayables. Due to an insecure implementation, fetching
of root posts for relayables could allow an attacker to distribute
malicious/spoofed/modified posts for any person.
Disabling the fetching will make the current federation a bit less
reliable, but for a hotfix, this is the best solution. We will
re-enable the fetching in 0.6.0.0 when we moved out the federation
into its own library and are able to implement further validation
during fetches.
# Updating
Please update as soon as possible. Update instructions can be found as
usual at https://wiki.diasporafoundation.org/Updating.
- --
Dennis Schubert
http://schub.io
xmpp:dens...@dsx.cc
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJW309iAAoJEFoDBL6nlm1+MyIQAK89J46bhGWtG66bMF5oDJr0
0SJEjrlyHdPlDX1LYvlvc4gJNmaL9Zkfk9Q4WOrz9eQza9YfFQdUOTvJXyhFm6EJ
9XhBX1vyawMgOKEUHSwsCOPCeIDeXyE930UZDVsYKJvNF/EDgkmZxJsTSmINclJK
tszVQKS0njQDvFwJTH21A1dtEPjVKCG/naK0Iyk7rh8oGBhH3Y5yViGFdOdEpp5L
vF5niIAn76iECP39QYn2oCeeutMKOtSTGVjRrrIxOA9owIcEQBYK0+r1PPwBmlRQ
C8WGt2BtHmN5ahuhJU6uUUVFuoTREOfAYc9zQb7oQXWXd7rnJmnvYel07utgR4Up
j38EmxjJOUAYU7OzgmJP+j1nw8WAvY38cN7uoE77iiQMWVjngRt61PFyCBasbGDV
vgPcUX4EOIQHVl7jl8GhIpgoJUwisgTH2hdYGkuJpfX04m1Cm/oHP16q2us1fF9s
VS7P1VMoqpbgDZrPzF3LB3JMqI+VD98d8xf6Nkul55ougkuLaZ06iAFkfhas1Ses
q3xzUWbUKiWgF1QEQPICr/jC+spP/Z8Cc0jfGfriSZibG6Ix20OUhxIkA2DD/2Th
jsUTyeBUYkRDnxP4ewUUQUrmfFPbCcBWd8VJRcHQj+iY5AlL4TSbU5Lcrw9X8Ijc
svbNG7ZOOauhKGi7KpdS
=3mxj
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages