Jon1d ago

#Ubuntu still doesn't have a patch or even a security notice for #sshkeysignpwn ...

How is this everyone else has been patched for days!

#Debian had a fix Friday morning...#DomumSocial is running on Debian, but in my day job I'm stuck with Ubuntu.

If you're also stuck with Ubuntu there is a mitigation:

`sudo sysctl -w kernel.yama.ptrace_scope=3`

I've tested this against the know exploit code at https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

This will disable the vulnerable ptrace call until the next reboot

Seeking confirmation of my theory I was able to find:
https://almalinux.org/blog/2026-05-15-ssh-keysign-pwn-cve-2026-46333/

you can also set "yama.ptrace_scope" to "2" which will only allow root to use ptrace (and will also allow resetting it w/o reboot). The link above has more explanations and directions for setting it persistently across reboot for now.

This will break `strace` and `gdb`!

#Linux #sysadmin #security

GitHub - 0xdeadbeefnetwork/ssh-keysign-pwn: Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels.

Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels. - 0xdeadbeefnetwork/ssh-keysign-pwn

GitHub
Show threadJonApr 6

#DomumSocial connectivity will be unstable over the next few hours for switch replacement.

Hopefully actual downtime will be minimal.

As always updates will be posted to

https://status.domum.social

Domum Social

JonApr 4

#DomumSocial had a network fault starting sometime before 19:24 UTC which was provisionally resolved at 21:16 UTC.

This was caused by a faulty switch.

The switch is still faulted and connectivity was re-established using wifi.

This is sub-optimal especially because remote unlocking for the encrypted root drive is not possible over wif. This means time to recovery for any unplanned reboots will be substantially increased.

JonApr 1
#DomumSocial updated to Mastodon v4.5.8 and all is well (AFAIK)
JonMar 28

On Saturday Mar 28 2026 We experienced a power fault lasting from approximately 1700UTC to 1820UTC

Reminder when the main site is down updates are posted to:

https://status.domum.social

#DomumSocial

Domum Social

JonMar 23

#DomumSocial Site move is complete no further disruption anticipated today.

We will need another smaller window soon for version updates but that's generally only seconds of downtime.

https://status.domum.social

Domum Social

Show threadJonMar 23

It's time for #Domumsocial to move servers,

expect disruptions over the next hour or two.

Show threadJonMar 21

Next Outage window for the #DomumSocial server move will be:

Monday 23 March 2026 21:00UTC

https://status.domum.social

Domum Social

Show threadJonMar 16

The proxy container in the new install was in a slightly different network range than the old/current location.

I've widened the allowable range in the Mastodon environment to cover all likely Docker networks.

Probably could have figured this out and taken a longer downtime today but since the site was live I didn't want people to make changes that would get lost if I had to revert, so backed out quickly for safety.

I just need to work out a good time to try again.

#DomumSocial #Mastoadmin

JonMar 16

Maintenance Update:

Everything is back as it was on the old server.

Things went oddly. Everything seemed to come over fine but the ClearNet site wouldn't load and the TOR site mostly worked but websockets (which do the automated feed updates) were throwing error.

I quickly reverted and will review the logs to make a plan for the next move attempt...

#DomumSocial