This issue is already quite widely publicized and quite frankly “we’re handling it and removing this” is a much more harmful response than I would hope to see. Especially as the admins of that instance have not yet upgraded the frontend version to apply the urgent fix.

It’s not like this was a confidential bug fix, this is a zero day being actively exploited. Please be more cooperative and open regarding these issues in your own administration if you’re hosting an instance. 🙏

7 points

unfortunately there’s no images for 0.18.2-anything yet :(

permalink
report
reply
20 points
*

There are, via dessalines’ repo. It’s for lemmy-ui only, at 0.18.2-rc.1.

I have it running already on my instance, and have for 93min now.

permalink
report
parent
reply
2 points

thanks, I guess I missed it. gonna update ASAP just in case, even though I’m the only user of my instance.

permalink
report
parent
reply
9 points

Yes, there is: 0.18.2-rc.1, which has the hot fix.

permalink
report
parent
reply
1 point

Excuse my ignorance, but where can I find details to this issueand does it affect only 0.18.1, or also 0.18.0?

permalink
report
parent
reply
-24 points

Which leads me to ask: why are we still using Docker images as a MAJOR part of our infrastructure when superior alternatives exist? The Docker aspect made me realize how hacked together the codebase actually is.

permalink
report
parent
reply
9 points

I will always espouse containers for critical workloads as they provide much better orchestration, especially during deployment. If your complaint is specifically against docker, I agree, we should be using k8s

permalink
report
parent
reply
-5 points

I disagree.

IMO, we should be using Nix and OCI.

permalink
report
parent
reply
11 points

Just because it’s not using your personal preference of containerization doesn’t qualify it as being “hacked together”. Docker is a perfectly acceptable solution for what Lemmy is.

permalink
report
parent
reply
-9 points

That’s just like your opinion, man.

permalink
report
parent
reply
8 points

What are these ‘superior’ alternatives?

permalink
report
parent
reply
1 point

What’s so bad about using docker? Serious question.

permalink
report
parent
reply
6 points

That’s a ridiculous take

permalink
report
parent
reply
3 points

For amd64, Lemmy dev Dessalines pushes images to his Docker Hub repo usually right after a new version comes out.

Since they don’t release arm64 builds anymore, I build them regularly and push them to my repo, which can be found here.

permalink
report
parent
reply
2 points
*

Multi-platform images are kept up-to-date on this 3rd party repo: https://github.com/ubergeek77/lemmy-docker-multiarch

permalink
report
parent
reply
120 points

IMO it’s not a good idea to be discussing attack vectors publicly when a number of other instances are unpatched and the exploit has been in the wild for less than a day.

I agree that admins need to work together, but discussing it in public on Lemmy so soon after the attack isn’t the way. There exists a Matrix channel for admins, that’s where this type of thing should go.

permalink
report
reply
1 point

This is my take on it. I am running Lemmy in a docker using the dessalines image. I hope that there will be an update come this afternoon.

permalink
report
parent
reply
10 points

There’s already an update available, but it’s for lemmy-ui not lemmy. Just update the tag to 0.18.2-rc.1 and you’ll have this fix.

permalink
report
parent
reply
2 points

Yep, that’s the plan! Thanks for letting me know. Lemmy is awesome and I am having so much fun with it. I expect it only to get better as the days and weeks progress.

permalink
report
parent
reply
2 points

This is probably a dumb question but I used the Ansible install for Lemmy and just did a git pull and --become again but UI wasn’t updated so I assume 0.18.2 isn’t in release yet (which is fine) but is there documentation on updating UI? I see where it’s showing in the docker-compose.yml file but I am uncertain what to do after changing it there (or if that’s the right place to change it).

permalink
report
parent
reply
1 point

This is probably a dumb question but I used the Ansible install for Lemmy and just did a git pull and --become again but UI wasn’t updated so I assume 0.18.2 isn’t in release yet (which is fine) but is there documentation on updating UI? I see where it’s showing in the docker-compose.yml file but I am uncertain what to do after changing it there (or if that’s the right place to change it).

permalink
report
parent
reply
4 points

There is already an update. 0.18.2-rc1

You can apply it now.

permalink
report
parent
reply
6 points

I will have to wait until I can get home from work. Work does deep packet inspection and blocks SSH. I’ve tried doing SSH on port 993, one I know for a fact is open because I get my email that way on my phone and I still get a connection refused. Bunch of fascists!

permalink
report
parent
reply
1 point

This is probably a dumb question but I used the Ansible install for Lemmy and just did a git pull and --become again but UI wasn’t updated so I assume 0.18.2 isn’t in release yet (which is fine) but is there documentation on updating UI? I see where it’s showing in the docker-compose.yml file but I am uncertain what to do after changing it there (or if that’s the right place to change it).

permalink
report
parent
reply
71 points
*

If this was not a zero day being actively exploited then you would be 100% correct. As it is currently being exploited and a fix is available, visibility is significantly more important than anything else or else the long tail of upgrades is going to be a lot longer.

Keep in mind a list of federated instances and their version is available at the bottom of every lemmy instance (at /instances), so this is a really easy chain to follow and try to exploit.

The discovery was largely discussed in the lemmy-dev Matrix channel, fixes published on github, and also discussed on a dozen alternate lemmy servers. This is not an issue you can really keep quiet any longer, so ideally now you move along to the shout it from the mountaintop stage.

permalink
report
parent
reply
3 points

FYI for anyone looking to deface more instances, That list is only updated every 24 hours. Depending on when it last run on your home instance, the info could be out of date.

permalink
report
parent
reply
4 points

I think it also only shows backend version, not frontend, so it won’t reflect this fix.

permalink
report
parent
reply
2 points

Where is this Matrix Channel? Is it private? How can I get access as an instance admin?

permalink
report
parent
reply
7 points
3 points

Presumably that channel (I hadn’t seen it there) and https://matrix.to/#/#lemmydev:matrix.org, which is actually where I was watching for the fix.

permalink
report
parent
reply
4 points

It isn’t private, I think there’s a link on the girhub

permalink
report
parent
reply
1 point

Yep, it’s public on github.

permalink
report
parent
reply
2 points

If the only criteria to be in a private channel for admins is being an admin, there’s no use making it private. ;) Unless your just looking to filter out bad actors who don’t want to take 5 min and 5$ to make an instance.

permalink
report
parent
reply
13 points

OK, as long as all the well-meaning people stop discussing it, nobody will ever find out about it.

Son, this is not it.

permalink
report
parent
reply
114 points
*

When a vulnerability at this level happens and a patch is created, visibility is exactly what you need.

It is the reason CVE sites exist and why so many organizations have their own (e.g. Atlassian, SalesForce/Tableau )

It is also why those CVE will be on the front page of sites like https://news.ycombinator.com to ensure folks are aware and taking precautions.

Organizations that do not report or highlight such critical vulnerabilities are only hurting their users.

permalink
report
parent
reply
57 points

It is common practice to notify affected parties privately and then give full details to the public after the threat is largely neutralized. Expecting public disclosure with technical details on how to perform the attack in less than 24 hours goes against established industry norms.

permalink
report
parent
reply
47 points

That only stands true when the issue is not being actively exploited.

permalink
report
parent
reply
14 points

From what I found digging through some posts, this exploit only works if your instance uses custom emoji. Federated custom emoji are apparently harmless.

permalink
report
reply
6 points

Yes, if you have no custom emoji on your instance, you should not be vulnerable. A valid workaround before the fix is also to just remove all custom emoji, from what I’ve also read.

permalink
report
parent
reply
20 points
*

This issue is already quite widely publicized and quite frankly “we’re handling it and removing this” is a much more harmful response than I would hope to see.

Hi, mod of a community on the instance in question here. Why is this response harmful? What should we have done instead?

permalink
report
reply
27 points

I feel like it’s up for discussion here and you very well may stand by the response there, but IMO with how prevalent this issue is, a specific response of “we’ve disabled custom emoji” or “we’re upgrading to 0.18.2-rc.1 today” would have been more constructive and reassuring to users. Removal of the question and lack of details gives me a lot less confidence that the issue and fix are understood and doesn’t leave any room for that discussion.

permalink
report
parent
reply
13 points

Ahh, ok. That’s helpful, thanks!

This is going to seem silly in the context of such a severe exploit but one quirk about our instance is that we literally do not have a “general discussion” /c/. The biggest one is scoped to Star Trek and so a Lemmy exploit is obviously outside the scope of … Star Trek. I would wager that’s the main reason the mod removed the post, but I will admit that just pointing this out, I feel like the forum mod from the short story Wikihistory.

I’m in contact with the admins who manage the hosting, they are coordinating an update 0.18.2-rc1 as we speak. Also, there’s already been some discussion about setting up a general discussion /c/ on our instance and so I’ll include instance security in the scope of that /c/.

You mentioned elsewhere in this thread there is a Lemmy admins Matrix room. Is my instance big enough for my admins to be invited? If yes, who can I point them at to get in?

permalink
report
parent
reply
10 points

That’s definitely good to hear! Timely upgrades for the bigger communities will be important.

Afaik the Lemmy Matrix rooms are all public. I wasn’t invited myself; just found them via Matrix search and jumped in.

permalink
report
parent
reply
34 points

It’s strange that they would try to bury this information.

The number 1 tool against future hacks like this is education.

permalink
report
reply

Selfhosted

!selfhosted@lemmy.world

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

Community stats

  • 5.1K

    Monthly active users

  • 3.6K

    Posts

  • 81K

    Comments