I’ve been disappointed that Librem Social is still based on an older version of Mastodon (v3.1.1), but now I see there’s a vulnerability that affects older versions and there doesn’t seem to be a patch for versions earlier than 3.5.17. I wonder how this vulnerability will be addressed for Librem Social.
Maybe you could use the vulnerability to take over accounts and have them all make posts about how Librem Social should update, so that then the people running it will become so cross that they will be forced to take action to resolve the issue.
PS: I am not a Librem Social user so the above bad idea is merely a hypothetical joke, and I am not informed about how Librem Social actually works. Maybe I should be a Librem Social user.
I am also disappointed and frustrated that Librem Social is on a (very much) older version. I have also asked about it here last year as well as on Librem One Matrix channel (with my Librem Chat account). At the Matrix, one guy said he should bring it up with eg a developer, but then it has been silence. Also Librem Chat is old version, when I use Element it warns me that my (Librem Chat) server should be upgraded.
It is interesting seeing a lack of urgency to communicate and/or act from a company that touts security as a core tenant.
Also while this may a bigger vulnerability for than others, are there not previously patched vulnerabilities not applied already… is security patching not a part of the standard security practices for Purism?
Apparently proof-of-concept code has been published for CVE-2024-23832 (CVSS 9.8), but unless I missed something Purism hasn’t yet said anything about Librem Social being immune to this vulnerability or published an ETA for upgrading or patching the software.
Historically Purism has not made such communication and is unlikely to make that kind of commitment as when they commit to things that involve timelines/timeliness there is considerable noise made when there is a perception that they are not meeting that time expectation.
@JCSmight be able to chime in on this more officially.