Both lemmy.world and lemmy.blahaj.zone are both down, this issue IS URGENT as this could be why they are both down.
@CriticalResist8@lemmygrad.ml @muad_dibber@lemmygrad.ml @CaptCalhoun@lemmygrad.ml @Farmer_Heck@lemmygrad.ml @felipeforte@lemmygrad.ml @ksynwa@lemmygrad.ml
elara said in the matrix that we should be safe because lemmygrad “doesn’t allow HTML in its markdown parser”
That’s relieving.
Lemmygrad is spared, I don’t know if the patch has been deployed our way yet, but we weren’t hit by the exploit.
also yes I didn’t receive a notif.
Well that sucks, I’ll do a comment for notifying you next time.
(side note: unless it’s been changed/fixed, mentions only work in comments, not in posts)
Don’t post this kind of things, the less attention the better, communicate with developers in a private way and let them know about vulnerabilities.
It’s being actively exploited in the wild as we speak.
Private disclosure is only useful and necessary when vulnerabilities are not being actively exploited or if they are exceptionally technically difficult requiring very specific conditions and you are disclosing specifically those conditions which might enable additional exploitation before a fix.
However, this is a technically simple exploit, disclosing it exists will not enable more attackers.
It is responsible in situations where something is being actively exploited, it is a simple exploit, etc to discuss, inform, and yes let others who may want to patch themselves have the knowledge needed to patch when devs are asleep or otherwise unable to act expediently.
I posted it this way because it was already public, even detailing how the vulnerability worked on github, and because I thought of informing as many as possible. I should’ve explicitly stated this, but I hoped this would encourage logging off (we seriously need a log off emoji) and possibly changing your password later to remedy this.
