This issue is already quite widely publicized and quite frankly โweโre handling it and removing thisโ is a much more harmful response than I would hope to see. Especially as the admins of that instance have not yet upgraded the frontend version to apply the urgent fix.
Itโs not like this was a confidential bug fix, this is a zero day being actively exploited. Please be more cooperative and open regarding these issues in your own administration if youโre hosting an instance. ๐
I donโt think Iโm asking for a lot. A post on !lemmy@lemmy.ml xposted to !lemmy_support@lemmy.ml that gets pinned to the top. Edit the post when relevant information comes out. Release a security advisory on github as soon as you have enough info to warrant one and keep it up-to-date as well.
Iโm not asking for the troubleshooting to happen out in the open.
you sound quite well-versed in how to handle security/critical incidents. Maybe consider contacting the devs and offering them some help in this area?
I know enough. Iโm certainly not an infosec guy Iโm just a sysadmin whoโs been doing this long enough to know what should be done. At least partly due to this thereโs currently 400 open issues just in lemmy-ui on github. Right now I think the best most of us can do is wait for the dust to settle.
Right, but Lemmy.ml is really just one of a thousand plus instances. We need something instance independent or a way to propagate info that doesnโt rely on any single failure points, or Lemmy as the communication channel. What happens when lemmy.ml is down, or if no instances are able to post due to concerted DoS?
Itโs impossible to stop anyone randomly posting stuff on Lemmy. Attackers can post misinformation as well, especially if they compromise admin accounts. Who are we gonna trust in the midst of the next incident? The account posting most prolifically about the UI exploit in progress was using a burner account that had just been created to post about it. Iโm sure there were good reasons for wanting to be anonymous when discussing the work of unknown malicious actors, but it made me think twice about what was being posted at the time.
I think the authoritative source should be the GitHub repo. A security advisory should be posted there with references to outside resources as necessary.
