this post was submitted on 10 Jul 2023
380 points (93.2% liked)

Selfhosted

40717 readers
318 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

This issue is already quite widely publicized and quite frankly "we're handling it and removing this" is a much more harmful response than I would hope to see. Especially as the admins of that instance have not yet upgraded the frontend version to apply the urgent fix.

It's not like this was a confidential bug fix, this is a zero day being actively exploited. Please be more cooperative and open regarding these issues in your own administration if you're hosting an instance. 🙏

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 119 points 1 year ago (5 children)

IMO it’s not a good idea to be discussing attack vectors publicly when a number of other instances are unpatched and the exploit has been in the wild for less than a day.

I agree that admins need to work together, but discussing it in public on Lemmy so soon after the attack isn’t the way. There exists a Matrix channel for admins, that’s where this type of thing should go.

[–] [email protected] 115 points 1 year ago* (last edited 1 year ago) (1 children)

When a vulnerability at this level happens and a patch is created, visibility is exactly what you need.

It is the reason CVE sites exist and why so many organizations have their own (e.g. Atlassian, SalesForce/Tableau )

It is also why those CVE will be on the front page of sites like https://news.ycombinator.com to ensure folks are aware and taking precautions.

Organizations that do not report or highlight such critical vulnerabilities are only hurting their users.

[–] [email protected] 57 points 1 year ago (2 children)

It is common practice to notify affected parties privately and then give full details to the public after the threat is largely neutralized. Expecting public disclosure with technical details on how to perform the attack in less than 24 hours goes against established industry norms.

[–] [email protected] 47 points 1 year ago

That only stands true when the issue is not being actively exploited.

[–] [email protected] 71 points 1 year ago* (last edited 1 year ago) (1 children)

If this was not a zero day being actively exploited then you would be 100% correct. As it is currently being exploited and a fix is available, visibility is significantly more important than anything else or else the long tail of upgrades is going to be a lot longer.

Keep in mind a list of federated instances and their version is available at the bottom of every lemmy instance (at /instances), so this is a really easy chain to follow and try to exploit.

The discovery was largely discussed in the lemmy-dev Matrix channel, fixes published on github, and also discussed on a dozen alternate lemmy servers. This is not an issue you can really keep quiet any longer, so ideally now you move along to the shout it from the mountaintop stage.

[–] [email protected] 3 points 1 year ago (1 children)

FYI for anyone looking to deface more instances, That list is only updated every 24 hours. Depending on when it last run on your home instance, the info could be out of date.

[–] [email protected] 4 points 1 year ago

I think it also only shows backend version, not frontend, so it won't reflect this fix.

[–] [email protected] 13 points 1 year ago

OK, as long as all the well-meaning people stop discussing it, nobody will ever find out about it.

Son, this is not it.

[–] [email protected] 2 points 1 year ago (2 children)

This is my take on it. I am running Lemmy in a docker using the dessalines image. I hope that there will be an update come this afternoon.

[–] [email protected] 10 points 1 year ago (4 children)

There's already an update available, but it's for lemmy-ui not lemmy. Just update the tag to 0.18.2-rc.1 and you'll have this fix.

[–] [email protected] 2 points 1 year ago

Yep, that's the plan! Thanks for letting me know. Lemmy is awesome and I am having so much fun with it. I expect it only to get better as the days and weeks progress.

[–] [email protected] 2 points 1 year ago

This is probably a dumb question but I used the Ansible install for Lemmy and just did a git pull and --become again but UI wasn't updated so I assume 0.18.2 isn't in release yet (which is fine) but is there documentation on updating UI? I see where it's showing in the docker-compose.yml file but I am uncertain what to do after changing it there (or if that's the right place to change it).

[–] [email protected] 1 points 1 year ago

This is probably a dumb question but I used the Ansible install for Lemmy and just did a git pull and --become again but UI wasn’t updated so I assume 0.18.2 isn’t in release yet (which is fine) but is there documentation on updating UI? I see where it’s showing in the docker-compose.yml file but I am uncertain what to do after changing it there (or if that’s the right place to change it).

[–] [email protected] 1 points 1 year ago

According to https://github.com/LemmyNet/lemmy/commits/main, the bug was fixed with https://github.com/LemmyNet/lemmy/commit/00f9f79a44887869dcdc3fe5bd1dabbbdc080cec and is part of release 0.18.1, right? I usually wouldn´t recommend to install the release candidate, except for testing, but since this is still 0.X anyway...

[–] [email protected] 4 points 1 year ago (2 children)

There is already an update. 0.18.2-rc1

You can apply it now.

[–] [email protected] 6 points 1 year ago (2 children)

I will have to wait until I can get home from work. Work does deep packet inspection and blocks SSH. I've tried doing SSH on port 993, one I know for a fact is open because I get my email that way on my phone and I still get a connection refused. Bunch of fascists!

[–] [email protected] 3 points 1 year ago (1 children)
[–] [email protected] 2 points 1 year ago (1 children)
[–] [email protected] 2 points 1 year ago (1 children)

You could try using a VPN or some other kind of proxy which wraps your SSH traffic to prevent packet inspection. Then it should look like normal UDP traffic ;)

[–] [email protected] 3 points 1 year ago

They block UDP traffic too. I tried some things like that.

[–] [email protected] 1 points 1 year ago (1 children)

Given how strict it is, I assume your company implements some sort of certification such as ISO27001 and really stick their gun on it? So, can you like, not using your company's wifi on your phone if it's heavily monitored? Or is the cell reception poor at your office?

[–] [email protected] 2 points 1 year ago (1 children)

I use my employer's guest wifi. Right now I can't afford adding the hotspot to my plan.

[–] [email protected] 2 points 1 year ago

No need to enable hotspot on your phone. Just install Termux from f-droid if you're on android, or Prompt if you're on iOS, and use SSH directly from your phone.

[–] [email protected] 1 points 1 year ago

This is probably a dumb question but I used the Ansible install for Lemmy and just did a git pull and --become again but UI wasn’t updated so I assume 0.18.2 isn’t in release yet (which is fine) but is there documentation on updating UI? I see where it’s showing in the docker-compose.yml file but I am uncertain what to do after changing it there (or if that’s the right place to change it).

[–] [email protected] 2 points 1 year ago (2 children)

Where is this Matrix Channel? Is it private? How can I get access as an instance admin?

[–] [email protected] 7 points 1 year ago (1 children)
[–] [email protected] 3 points 1 year ago

Presumably that channel (I hadn't seen it there) and https://matrix.to/#/#lemmydev:matrix.org, which is actually where I was watching for the fix.

[–] [email protected] 4 points 1 year ago (2 children)

It isn't private, I think there's a link on the girhub

[–] [email protected] 2 points 1 year ago (1 children)

If the only criteria to be in a private channel for admins is being an admin, there’s no use making it private. ;) Unless your just looking to filter out bad actors who don’t want to take 5 min and 5$ to make an instance.

[–] [email protected] 2 points 1 year ago

I have an account that's in there without being an administrator.

[–] [email protected] 1 points 1 year ago (1 children)
[–] [email protected] 2 points 1 year ago

I was actually speaking of the matrix channel