Update for recent vulnerability

Question

Update for recent vulnerability

nealhead opened this issue a year ago · 3 comments

Has this script been updated to reflect the vulnerability from yesterday that allowed stealing tokens from custom emoji?

Answer 1 · 2023-07-10T15:53:52.000Z

Hello!

No Lemmy-Easy-Deploy update is necessary, LED already lets you update to any custom rc version.

A fix was tagged in the UI repo as 0.18.2-rc.1, so you just need to force an update to that tag:

./deploy.sh -w 0.18.2-rc.1 -f

As of right now, there are no new backend tags, but if you take a look at the --help page (or the README), you can learn how to update to backend RC versions in the same way.

Answer 2 · 2023-07-10T15:55:55.000Z

Awesome! Thank you for the quick response!

Answer 3 · 2023-07-10T15:57:18.000Z

You're welcome! If I heard right, this vulnerability also doesn't effect you unless you have custom emojis.