☢️ PixelFed: vulnerability discovered and fixed, please upgrade to 0.12.5!

Announcements Security
,
1

:uk: A serious vulnerability has been discovered in our Pixelfed and has been fixed in version 0.12.5~ynh1.

Please do the upgrade when you can.

:fr: Une faille de sécurité importante a été découverte dans Pixelfed et corrigée dans la version 0.12.5~ynh1.

Merci de mettre à jour dès lors que vous le pouvez.

6 Likes
2

This appears to be the vulnerability: Pixelfed leaks private posts from other Fediverse instances - fiona fokus

It seems bad that the follower approval feature even exists in the first place for Pixelfed to have handled incorrectly.

2 Likes
3

For quick (TL;DR) context, this is not strictly a “security” issue, but more a privacy option affecting negatively remote (including non-Pixelfed) instances’ accounts.
As far as I understand, if you’re alone on your instance (without public registration), it’s not a critical issue on your side (assuming you don’t want to exploit it :p).
However it’s best to update as soon as possible.

The update has already being deployed on Yunohost packaging side (thanks @ljf for the reactivity ! :ok_hand:), including servers still running Debian/Yunohost 11.

Please update your instances as soon as you can.
The update doesn’t bring particular changes (AFAIK) so it should not be a risky operation (but do make backups before as always).

Links for context: Testing : update to 0.12.5 (security fix) by zamentur · Pull Request #291 · YunoHost-Apps/pixelfed_ynh · GitHub & [fix] Allow to upgrade on bullseye by zamentur · Pull Request #292 · YunoHost-Apps/pixelfed_ynh · GitHub

4 Likes
4

Also for Pixelfed-glitch users, I believe the fix is already including in the previous release from a few days ago.
Releasing the update on the Yunohost side is on hold because of a technical issue (package version naming convention): Testing : 1.10.1 (including a security fix) by lapineige · Pull Request #4 · YunoHost-Apps/pixelfedglitch_ynh · GitHub (help appreciated :).
I think it should work with manual update (yunohost app upgrade pixelfed_glitch -u https://github.com/YunoHost-Apps/pixelfedglitch_ynh/tree/testing).

Edit: should be fixed and available as a regular update if the coming hours.