As mentioned above, it has already been mitigated on lemmy.world
So there should not be any reason to defederate. I will continue monitoring and investigating, if further vulnerabilities pop up then I will adjust accordingly.
You rock! Sorry if this is a stupid question, but if both instances are running the same version of Lemmy, why would lemmy.world be affected but not lemm.ee?
It should be said that the version number is more of an indication than anything specific. I don’t think it would be hard for an instance to spoof its version number.
Also, lemm.ee in particular has a few mods and tricks that might not be in the lemmy codebase yet - @[email protected] has previously included new code he has pushed to the main stack before it has been accepted. This allowed us to have working versions of things before other instances.
Point being, two instances with the same version can have different code and implementations.
Thinking about things in the future, if something were to happen to lemm.ee, how could users stay up to date with you and the other admins? do you have a mastodon account to follow or maybe matrix? for things like maintenance, emergencies, etc.
I’m thinking about doing some emergency updates on a Discord server - it seems like a huge amount of users have Discord anyway, so it might be the most convenient way. I’ll probably make a post about it soon!
Hey folks! I have spent this morning helping lemmy.world mitigate the issue. I have also sent out mitigation instructions to other admins as well.
For the particular exploit that was used on lemmy.world:
So there should not be any reason to defederate. I will continue monitoring and investigating, if further vulnerabilities pop up then I will adjust accordingly.
Thank you for being a valuable resource for the lemmyverse as a whole!
You rock! Sorry if this is a stupid question, but if both instances are running the same version of Lemmy, why would lemmy.world be affected but not lemm.ee?
Malicious custom emoji contained scripts that sent session cookies to the attackers.
Makes sense! Thank you.
It should be said that the version number is more of an indication than anything specific. I don’t think it would be hard for an instance to spoof its version number.
Also, lemm.ee in particular has a few mods and tricks that might not be in the lemmy codebase yet - @[email protected] has previously included new code he has pushed to the main stack before it has been accepted. This allowed us to have working versions of things before other instances.
Point being, two instances with the same version can have different code and implementations.
Perfect! Thanks for all of your work to keep the Fediverse functioning. We appreciate you!
Appreciate the response and explanation, I have ammended post and title to reflect that.
Thinking about things in the future, if something were to happen to lemm.ee, how could users stay up to date with you and the other admins? do you have a mastodon account to follow or maybe matrix? for things like maintenance, emergencies, etc.
I’m thinking about doing some emergency updates on a Discord server - it seems like a huge amount of users have Discord anyway, so it might be the most convenient way. I’ll probably make a post about it soon!
Thank you very much for the explanation.
Can confirm, issue resolved