As you might have heard several Lemmy instances have been attacked via a security vulnerability in the browser frontend related to custom emoji.

While SLRPNK was vulnerable to it, we seem to have not been actively targeted and I took the instance down as a precaution as soon as I learned about it.

I have applied all the currently known mitigations, which means that everyone got logged out of their account and needs to log back in manually.

As of writing this the API is working again and can be used with apps like Jerboa safely.

I am still contemplating if I want to re-enable the web frontend now or wait for a release that fixes the issues found.

Edit: the main issue was fixed and I restarted the web ui with it.

  • thisfro
    link
    fedilink
    arrow-up
    2
    ·
    11 months ago

    Thank you for the quick action! Do you have a channel on another service, where one could see the status of something like this? Maybe matrix, mastodon or similar? If not, that is fine too of course! But maybe there is already anyway

    • poVoqOPMA
      link
      fedilink
      arrow-up
      2
      ·
      11 months ago

      There is a Matrix channel for instance admins if you mean that?

      For status of the infra, we have: https://health.f-hub.org/ (slrpnk.net is at the bottom), but that could probably be improved now that the Lemmy backend has support for Prometheus monitoring.

      • thisfro
        link
        fedilink
        arrow-up
        1
        ·
        11 months ago

        I was thinking more of a channel where you (and other admins) could make announcements such as this post, which is readable when the instance has issues/is. So we know what is going on (not only that it is down, but also why) and could also maybe help out if needed :)

        • poVoqOPMA
          link
          fedilink
          arrow-up
          1
          ·
          11 months ago

          Hmm, yes that might be good. For now there is also my personal Fediverse account: https://outmo.de/kris but it runs on the same infra so if there is a more serious issue it will be down too.

          But generally speaking if there are issues that effect more than slrpnk.net other Lemmy instances will also be down or at least talk about it.

          I think the next step is to complete my plans for the infra that will allow easier access for external sysadmins so that we can reduce the bus factor. I’ll keep you all posted when this will be possible.

          • thisfro
            link
            fedilink
            arrow-up
            1
            ·
            11 months ago

            Very nice, thank you for all your work!