maloki is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
maloki @maloki Follow

⚠ The security vulnerability on discovered in rc1 and rc2 have been patched, in verson 2.4.0rc3 ⚠ UPDATE ASAP

⚠ If you've run 2.3.3+master you may be affected too (since the 27th of march)

⭐ 2.3.3 and other previous stable versions are SAFE, and not affected by it.

github.com/tootsuite/mastodon/

(updated toot with additional info, read full info inside the release on github)

· Web · 53 · 23
l4p1n 🇨🇭 @l4p1n@miaou.drycat.fr

@maloki
@Dryusdan kdo

Dryusdan @Dryusdan@miaou.drycat.fr

@l4p1n corrigé depuis hier soir ;)

Gwyn @snoot@lgbt.io

@maloki @self

self 👭❤ @self@lgbt.io

@snoot @maloki hi, I can't see what's this tagging for. Mind letting me know? :)

Gwyn @snoot@lgbt.io

@self @maloki ⚠ The security vulnerability on discovered in rc1 and rc2 have been patched, in verson 2.4.0rc3 ⚠ UPDATE ASAP

⚠ If you've run 2.3.3+master you may be affected too (since the 27th of march)

⭐ 2.3.3 and other previous stable versions are SAFE, and not affected by it.

github.com/tootsuite/mastodon/

#Mastodon #SecurityVuln

(updated toot with additional info, read full info inside the release on github)

Gwyn @snoot@lgbt.io

@maloki @self Not currently relevant to :lgbt_io: but an FYI

self 👭❤ @self@lgbt.io

@snoot ah I see, it's weird that I was unable to view the first toot before you tagged me just now but now I can see the whole conversation. Thanks. :) I'll update our Mastodon instance to the latest version once it's stable. :)

Dog2puppy @Dog2puppy@splat.social

@maloki SO whats this about?

Dog2puppy @Dog2puppy@splat.social

@maloki So*

maloki @maloki

@Dog2puppy I'm pretty sure that you can interpret the release notes with the vulnerability info, just as well as I can.

Feel free to ask questions if you have any still after reading it though.

slipstream/RoL‮⚡‭ @slipstream

@maloki @Dog2puppy those release notes seem to say nothing about what the bug actually is that was fixed..?

maloki @maloki

@slipstream I feel like the fixes show exactly what was wrong.

Anyways, in my case, I don't know more than what's in that release note. So I am not the right person to ask, but if there are actual specific questions after reading it, feel free to ask.

@Dog2puppy

slipstream/RoL‮⚡‭ @slipstream

@maloki @Dog2puppy The PR which I assume fixes the bug (7480) doesn't seem to explain *why* it's vulnerable.

josef @jk

@slipstream @maloki @Dog2puppy yeah i'm really perplexed about this

Eugen @Gargron

@jk @slipstream @maloki @Dog2puppy It's not by accident that I did not give simple instructions on how to exploit it.

Well, webpack put environment variables (like secrets) into a publicly accessible javascript file.

slipstream/RoL‮⚡‭ @slipstream

@Gargron @jk @maloki @Dog2puppy i have no words.

Dog2puppy @Dog2puppy@splat.social

@slipstream @Gargron @jk @maloki I just don't understand what was vulnerable.

flussence 🦖 @flussence

@Gargron
12factor: “Store config in the environment”; “A litmus test for whether an app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials.”

webpack: “hold my beer”

Eugen @Gargron

@flussence The secrets are not in version control, obviously. It was just a mistake with config. Cannot say it's webpack's fault, but a combination of things.

mastodon.social powered by Mastodon