Victoria (K8VSY) (she/her)

Wavelog 2.4.2 has been released!

Important Security Update

This release fixes a critical vulnerability affecting all existing Wavelog installations from version 1.8 onward. While we have no indication of exploitation in the wild, the risk profile changes once the fix is public and we recommend updating to 2.4.2 promptly.

https://github.com/wavelog/wavelog/releases/tag/2.4.2

#Wavelog #HamRadio #AmateurRadio #hamr #logging #HamLogging #radio #HamLog #log #logs

Release Release 2.4.2 · wavelog/wavelog

Important Security Update This release fixes a critical vulnerability affecting all existing Wavelog installations from version 1.8 onward. While we have no indication of exploitation in the wild, ...

GitHub
May 9 at 1:14pmWeb
Show threadAdam1d ago

@k8vsy

If you cannot update right away, block external access to the /install/ directory at your webserver level as a temporary mitigation.

Maybe I'm just paranoid, but I've had /install/ blocked ever since I finished the installation via:

location ~ /(\.|install) {deny all;}

Show threadVictoria (K8VSY) (she/her)1d ago
@me Probably a good idea to keep it blocked
Show threadAdam1d ago
@k8vsy Well, initially I had Wavelog public because my father wanted an account and we didn't have a VPN set up yet, so I just blocked /install/, etc. and figured that was a good balance between security and convenience.
Now he's actually set up his own Wavelog server, though, so I don't have any reason to expose it publicly at all. I put the entire thing behind mTLS a month or two ago and now I'm the only person who can access it.