for anyone wondering, the mastodon security advisories got posted.
https://github.com/mastodon/mastodon/security
in summary:
OEmbed preview parsing could lead to XSS.
A bug that allowed users to upload files anywhere the Mastodon app could write to was squashed.
It was possible to read-timeout the HTTP workers by constantly delaying requests.
Something about how it’s possible to craft a misleading verified URL using formatting. (I don’t quite think this is a security issue, more a user issue but fine, whatever).
Glitch /
npub1pv…wnnjr
2023-07-06 20:36:30
Author Public Key
npub1pvxaugkzwuyejrmzu6t3qf6r5fqwzraey8jhwphdtfewu854nydqlwnnjrPublished at
2023-07-06 20:36:30Event JSON
{
"id": "c758f7a51d5693cf087b97664985907c97d5f6167344cb13ca6beb3ff53e0739",
"pubkey": "0b0dde22c27709990f62e697102743a240e10fb921e57706ed5a72ee1e95991a",
"created_at": 1688675790,
"kind": 1,
"tags": [
[
"mostr",
"https://pl.glitch.pm/objects/b445378f-e5f1-4d6d-8937-7f94f9b4dd04"
]
],
"content": "for anyone wondering, the mastodon security advisories got posted.\n\nhttps://github.com/mastodon/mastodon/security\n\nin summary:\n\nOEmbed preview parsing could lead to XSS.\nA bug that allowed users to upload files anywhere the Mastodon app could write to was squashed.\nIt was possible to read-timeout the HTTP workers by constantly delaying requests.\nSomething about how it’s possible to craft a misleading verified URL using formatting. (I don’t quite think this is a security issue, more a user issue but fine, whatever).",
"sig": "939e51fe67ea78b1fcc55fc03b182416e779b6b36d293b1faa9243a0ee96542549035ad5517993daf0fad29513992839dd8004430df15a2648b1a93ed282bc94"
}