Lemmy Security Advisory for Versions < `0.19.1`: Private message details leak.

The full description of the bug is in the linked issue above, but the short version is:

Our CreatePrivateMessageReport endpoint had a bug that would allow anyone, not just the recipient, to create a report, and then receive the details about private messages.

This allowed anyone to iterate over ids, creating thousands of reports in order to receive details about private messages.

Since those reports are visible to admins, it would be easy to discover if someone was abusing this, and luckily we haven’t heard of anyone doing so on production instances (so far).

If you haven’t, please be sure to upgrade to at least 0.19.1 for the fix.

Many thanks to @Nothing4u for finding this one.

Blaze, (edited )
@Blaze@discuss.online avatar

Isn’t that dangerous to discose the bug while the largest version is still 18.5 ? fedidb.org/software/lemmy/versions

gregorum,

why haven’t they upgraded yet?

Blaze,
@Blaze@discuss.online avatar

19.0 and 19.1 broke federation.

19.2 restored federation.

19.3, released this week, fixed an authentication issue.

Seems you are either non-functional or insecure

gregorum,

oy. ok

syd, (edited )
@syd@lemy.lol avatar

0.18.6 would make sense TBH.

dessalines,

Timing on publishing these is tricky. We let most server runners know about this ~a month ago now, and we’re now 2 versions past the bug.

Blaze,
@Blaze@discuss.online avatar

Interesting, thanks, I didn’t know you communicated this to the admins before

Zagorath,
@Zagorath@aussie.zone avatar

As far as I’m aware the most widely-accepted standard for responsible disclosure is 90 days. This is a little different, since that’s normally between businesses and includes the time needed to develop a solution; it’s not typically aimed at federated or self-hosted applications rolling out an already-created patch. On the one hand, granting them that extra time to upgrade seems reasonable. On the other, wouldn’t anyone wanting to exploit a vulnerability be able to reverse-engineer it pretty easily by reading the git history?

I dunno where I land on this, tbh.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • announcements@lemmy.ml
  • localhost
  • All magazines
    •
    Loading…
    Loading the web debug toolbar…
    Attempt #