The latest Mastodon security vuln (GHSA-jhrq-qvrm-qr36) appears to be an exploit that can be used against instances that host their media on the same domain as the Mastodon instance itself
Reminder: It is best practice to put user uploaded media on a different hostname - ideally, a separate domain name entirely, but if not possible a subdomain will suffice.
(Note: Even if you do this, you still need to upgrade; the exploit is against remote instances0
erincandescent /
npub12f…xxddv
2024-02-16 11:54:07
Author Public Key
npub12fwzd4u7n0jj8wpk4encf3qsjmxayqzq4znd8qnvg79mj7j4thyspxxddvPublished at
2024-02-16 11:54:07Event JSON
{
"id": "ca184ffe872761903961f472c9e6a3650375c0d45953b9bb30832a7ddef590e4",
"pubkey": "525c26d79e9be523b836ae6784c41096cdd20040a8a6d3826c478bb97a555dc9",
"created_at": 1708084447,
"kind": 1,
"tags": [
[
"proxy",
"https://akko.erincandescent.net/objects/1a0e7c1c-221a-4d75-ba8c-6cca17aee85d",
"activitypub"
]
],
"content": "The latest Mastodon security vuln (GHSA-jhrq-qvrm-qr36) appears to be an exploit that can be used against instances that host their media on the same domain as the Mastodon instance itself\n\nReminder: It is best practice to put user uploaded media on a different hostname - ideally, a separate domain name entirely, but if not possible a subdomain will suffice.\n\n(Note: Even if you do this, you still need to upgrade; the exploit is against remote instances0",
"sig": "9c59a5f2452905def52e0b659ad0f3b3b84fd42efdc0ff28cdb1007bb1afcf079d1cfd594032b18a875dfbbc5048a93822e8c3075ad41fcb2fff375ff0970a29"
}