D•Scribe
  • Communities
  • Create Post
  • Create Community
  • heart
    Support Lemmy
  • search
    Search
  • Login
  • Sign Up
culpritus [any]@hexbear.net to Slop.@hexbear.netEnglish · 2 months ago

turns out there's some zero-day bugs in that pie

hexbear.net

message-square
28
link
fedilink
77

turns out there's some zero-day bugs in that pie

hexbear.net

culpritus [any]@hexbear.net to Slop.@hexbear.netEnglish · 2 months ago
message-square
28
link
fedilink

most of the instances are offline or admin only login last I checked

https://lemmy.ml/modlog/14815

alert-triangle
You must log in or # to comment.
  • حمید پیام عباسی@crazypeople.online
    link
    fedilink
    English
    arrow-up
    50
    ·
    2 months ago

    who would have thought software that was quickly spun up to replace something carefully written over the course of 7 years because tankies would have 0 days

    • Goferking0@ttrpg.network
      link
      fedilink
      arrow-up
      41
      ·
      2 months ago

      you don’t understand, piefed only has the best code. Everyone says so and it even happens so much faster than those dirty tankies. Some say it is the perfect code but please whatever you do don’t look at it just imagine the best possible code and that’s it.

      Here I was thinking the downtime was due to the hosting DC having a fire https://www.datacenterdynamics.com/en/news/northc-data-center-outside-amsterdam-suffers-fire/

  • Goferking0@ttrpg.network
    link
    fedilink
    arrow-up
    27
    ·
    2 months ago

    Ohhhh that’s why they need possibly 24hrs of downtime 😂😂😂😂😂

  • Infamousblt [any]@hexbear.net
    link
    fedilink
    English
    arrow-up
    26
    ·
    2 months ago

    Lol. Lmao, even

  • Goferking0@ttrpg.network
    link
    fedilink
    arrow-up
    23
    ·
    2 months ago

    Even dealing with a security issue the code is shit. Why are they chaining multiple ors in a if single statements

    |                                        |                                                                                                                        |
    | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
    | `def is_invalid_get_request_uri(uri):` |                                                                                                                        |
    |                                        | `if current_app.debug:`                                                                                                |
    |                                        | `return False`                                                                                                         |
    |                                        | `try:`                                                                                                                 |
    |                                        | `ip = ipaddress.ip_address(furl(uri).host)`                                                                            |
    |                                        | `except:`                                                                                                              |
    |                                        | `ip = None`                                                                                                            |
    |                                        | ``                                                                                                                     |
    |                                        | `if ip:`                                                                                                               |
    |                                        | `return ip.is_private or ip.is_link_local or ip.is_reserved or ip.is_loopback or ip.is_multicast or ip.is_unspecified` |
    |                                        | `return False`                                                                                                         |
    |                                        | ``                                                                                                                     |
    |                                        | ``                                                                                                                     |
    |                                        | `def is_invalid_post_request_uri(uri):`                                                                                |
    |                                        | `return is_inv`                                                                                                        |
    

    https://codeberg.org/rimu/pyfedi/commit/ada8e2ea35ec687000b7e7c2343288d44a219c3a

    • mathemachristian [he/him]@hexbear.netM
      link
      fedilink
      arrow-up
      15
      ·
      2 months ago

      I mean they weren’t given any heads up but had to instantly shut down their servers and figure out what was going on and come up with a solution on the spot. Not that I think piefed is well-made but just publicly posting critical security vulnerabilities is a dick move.

      • Goferking0@ttrpg.network
        link
        fedilink
        arrow-up
        3
        ·
        2 months ago

        Was it a zero day? And fair.

        • mathemachristian [he/him]@hexbear.netM
          link
          fedilink
          arrow-up
          3
          ·
          2 months ago

          Yeah, piefed is rather small and apparently no one even thought to as much as prompt an LLM for the code. It was an unknown vulnerability.

          • Goferking0@ttrpg.network
            link
            fedilink
            arrow-up
            3
            ·
            2 months ago

            https://lemmy.ml/post/47379574 - - I think this is at least one of them?

            Will be an interesting read when not weekend.

            Mostly wasn’t sure if something big in python or just the implementation. Been so many announcements on big vulnerabilities lately

            • mathemachristian [he/him]@hexbear.netM
              link
              fedilink
              English
              arrow-up
              3
              ·
              2 months ago

              If it’s the one from yogthos then yeah

    • MoonMelon@lemmy.ml
      link
      fedilink
      English
      arrow-up
      14
      ·
      2 months ago

      Bare except, too. Not ideal.

  • RedWizard [he/him, comrade/them]@hexbear.net
    link
    fedilink
    arrow-up
    22
    ·
    2 months ago

    https://codeberg.org/rimu/pyfedi/compare/v1.6.24...v1.6.25

    • Fossifoo [comrade/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      12
      ·
      2 months ago

      “security tweaks” michael-laugh

      • RedWizard [he/him, comrade/them]@hexbear.net
        link
        fedilink
        arrow-up
        7
        arrow-down
        1
        ·
        edit-2
        2 months ago

        Yeah I’m no expert but [the bug they fixed could theoretically get cloud hosting private keys for the hosted service]

        • floquant@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          8
          ·
          2 months ago

          Complete hallucination, this is improper validation of requests, nothing about fetching something or leaking credentials.

          Also, 169.254.0.0/16 is the link-local IPv4 network so it doesn’t even make sense outside of the fact that aws servers may get metadata on such networks (which again is absolutely unrelated to this diff). Is this a 3b model? Seems like it ran out of context, maybe it loaded the entire html page.

          • RedWizard [he/him, comrade/them]@hexbear.net
            link
            fedilink
            arrow-up
            5
            ·
            2 months ago

            Yeah I’m no expert

            I’ll bold it next time. However, thank you for your analysis!

        • mathemachristian [he/him]@hexbear.netM
          link
          fedilink
          arrow-up
          6
          ·
          2 months ago

          is this live? If it is please remove the comment and tell the devs. This could put people who already are being harassed on the regular by trolls at risk. I don’t know if IP addresses are logged, not everyone uses burner email addresses etc.

          I can’t even mod the comment bc then it just shows up on the modlog, i’d have to remove the entire post.

          • RedWizard [he/him, comrade/them]@hexbear.net
            link
            fedilink
            arrow-up
            6
            arrow-down
            1
            ·
            2 months ago

            They patched it. This is what the threat was.

            • mathemachristian [he/him]@hexbear.netM
              link
              fedilink
              arrow-up
              5
              ·
              2 months ago

              Ah good

            • floquant@lemmy.dbzer0.com
              link
              fedilink
              arrow-up
              1
              ·
              2 months ago

              It was not, that’s only what deepseek said it was. I don’t know why you edited the comment to hide the details of the hallucination instead of accepting that it fluked.

              • RedWizard [he/him, comrade/them]@hexbear.net
                link
                fedilink
                arrow-up
                4
                ·
                2 months ago

                I changed it before I read your comment because a mod asked me to. Relax.

  • infuziSporg [e/em/eir]@hexbear.net
    link
    fedilink
    English
    arrow-up
    20
    ·
    2 months ago

    If I was fed the pie, will I be okay or should I get help?

    • peeonyou [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      15
      ·
      2 months ago

      i would suggest forcing fingers down your throat until you upchuck it

  • FlakesBongler [they/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    19
    ·
    2 months ago

    data-laughing

  • RedWizard [he/him, comrade/them]@hexbear.net
    link
    fedilink
    arrow-up
    17
    ·
    2 months ago

    Lol wait really? Makes a blog post about burn out, zeroday crashes every piefed instance?

  • Thordros [he/him, comrade/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    17
    ·
    2 months ago

    ha ha

  • hellinkilla [they/them, they/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    16
    ·
    2 months ago

    Other than the dev?

  • Goferking0@ttrpg.network
    link
    fedilink
    arrow-up
    15
    ·
    2 months ago

    Interesting

    | 6 hours ago | infosec.pub mod | Deleted post Piefed has some really bad security bugs that p… in cybersecurity@infosec.pub |

Slop.@hexbear.net

slop@hexbear.net

Subscribe from Remote Instance

Create a post
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !slop@hexbear.net

For posting all the anonymous reactionary bullshit that you can’t post anywhere else.

Rule 1: All posts must include links to the subject matter, and no identifying information should be redacted.

Rule 2: If your source is a reactionary website, please use archive.is instead of linking directly.

Rule 3: No sectarianism.

Rule 4: TERF/SWERFs Not Welcome

Rule 5: No bigotry of any kind, including ironic bigotry.

Rule 6: Do not post fellow hexbears.

Rule 7: Do not individually target federated instances’ admins or moderators.

Visibility: Public
globe

This community can be federated to other instances and be posted/commented in by their users.

  • 477 users / day
  • 1.08K users / week
  • 1.69K users / month
  • 3.46K users / 6 months
  • 5 local subscribers
  • 873 subscribers
  • 3.43K Posts
  • 71.9K Comments
  • Modlog
  • mods:
  • VILenin [he/him]@hexbear.net
  • MiraculousMM [he/him, undecided]@hexbear.net
  • Hestia [she/her, fae/faer]@hexbear.net
  • oscardejarjayes [comrade/them]@hexbear.net
  • Diva (she/her)@lemmy.ml
  • Diva [she/her]@hexbear.net
  • mathemachristian [he/him]@hexbear.net
  • UI: unknown version
  • BE: 0.19.18
  • Modlog
  • Legal
  • Instances
  • Docs
  • Code
  • join-lemmy.org