Dessalines

Lemmy Release v0.19.17

https://lemmy.ml/post/44902280

Lemmy Release v0.19.17 - Lemmy

Lemmy

Mar 23 at 3:46pmWeb
Show threadFirmDistribution2d ago

Changelog

This release addresses another security advisory related to internal host access. You can now bypass these checks for federation, in order to federate with instances over the local network by setting environment variable DANGER_FEDERATION_ALLOW_LOCAL_IP=1. There are also some bug fixes, and lemmy-ui now logs file requests.

  • Improve IP checks by @nutomic in #6411
  • Allow to bypass federation IP checks with env var DANGER_FEDERATION_ALLOW_LOCAL_IP by @nutomic in #158
  • Fix Arabic user/community names by @nutomic in #3968
  • Fix removing post.url by @nutomic in #3984
  • Add lemmy-ui request logs by @MrKaplan-lw in #3933
SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

### Summary The `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remot...

GitHub