Librem Social/Mastodon vulnerability

I’ve been disappointed that Librem Social is still based on an older version of Mastodon (v3.1.1), but now I see there’s a vulnerability that affects older versions and there doesn’t seem to be a patch for versions earlier than 3.5.17. I wonder how this vulnerability will be addressed for Librem Social.

https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw

5 Likes

Maybe you could use the vulnerability to take over accounts and have them all make posts about how Librem Social should update, so that then the people running it will become so cross that they will be forced to take action to resolve the issue.

PS: I am not a Librem Social user so the above bad idea is merely a hypothetical joke, and I am not informed about how Librem Social actually works. Maybe I should be a Librem Social user.

1 Like

Deadline: 2024/02/15 when exploit details are threatened to be made public. @JCS ?

5 Likes

I am also disappointed and frustrated that Librem Social is on a (very much) older version. I have also asked about it here last year as well as on Librem One Matrix channel (with my Librem Chat account). At the Matrix, one guy said he should bring it up with eg a developer, but then it has been silence. Also Librem Chat is old version, when I use Element it warns me that my (Librem Chat) server should be upgraded.

So I fully agree with your question and concern.

1 Like

It is interesting seeing a lack of urgency to communicate and/or act from a company that touts security as a core tenant.

Also while this may a bigger vulnerability for than others, are there not previously patched vulnerabilities not applied already… is security patching not a part of the standard security practices for Purism?

1 Like

The last time there was an update, it was after the DDoS attack.

Other Discourse servers such as the Qubes OS, Whonix, and Tor Project Forum have support for passkeys now.

2 Likes

It has at least been escalated.

2 Likes

So, did the escalation accomplish anything?

2 Likes

Apparently proof-of-concept code has been published for CVE-2024-23832 (CVSS 9.8), but unless I missed something Purism hasn’t yet said anything about Librem Social being immune to this vulnerability or published an ETA for upgrading or patching the software.

3 Likes

It is listed in the same article:

Remote User Impersonation and Takeover via Cache Poisoning

It has been over ten days since the PoC was released. Has Librem Social been updated or not?

@lifeform

2 Likes

There you go.

2 Likes

Any news from Purism of upgrade plan of Librem Social/Mastodon to latest release (currently 4.3.1) an then stay updated?

1 Like

Historically Purism has not made such communication and is unlikely to make that kind of commitment as when they commit to things that involve timelines/timeliness there is considerable noise made when there is a perception that they are not meeting that time expectation.

@JCS might be able to chime in on this more officially.

3 Likes