dadosch, 3 months ago

@dansup @milan @Cedara FYI ⬆️ , pixel.tchncs ist noch auf 0.11.9

milan, 3 months ago

@dadosch ja, durch diese dev branch mentalität von denen hatte ich offenbar noch keine release benachrichtigungen und daher nicht in der todoliste einsortiert - hatte es zwar im kopf aber das war offenbar gestern nicht mehr genug. @Cedara

mdwalters, 3 months ago

@dansup no offense, but you're saying to update asap, but they you're saying that you want to give admins time to update? i kinda find that rather inconsistent

dansup, 3 months ago

@mdwalters We want to give admins time to update before disclosing more info about the security vulnerability. This is common practice

Cc @thisismissem

thisismissem, 3 months ago

@dansup @mdwalters this is actually consistent with best practices: update immediately / as soon as possible, but we're aware people may take some time to upgrade, so we're allowing two weeks before releasing details.

Here's the advisory: https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf

CodingThunder, 3 months ago

@thisismissem @dansup @mdwalters doesn't the git commit history already reveal everything? I'm not familiar with pixelfed's codebase, but it wont take me a lot of time to figure it out.

thisismissem, 3 months ago

@CodingThunder @dansup @mdwalters not necessarily, but if you do go looking, we ask that you keep anything you learn to yourself & wait for the official information on the 25th February.

Iamgroot11, 3 months ago

@dansup done!