Blahaj Lemmy Meta

2573 readers

15 users here now

Blåhaj Lemmy is a Lemmy instance attached to blahaj.zone. This is a group for questions or discussions relevant to either instance.

founded 2 years ago

MODERATORS

[email protected]

Update to 0.19.11 needed - Purging users or communities or banning users can delete images they didn't upload/exclusively use (github.com)

submitted 2 weeks ago* (last edited 2 weeks ago) by [email protected] to c/[email protected]

4 comments fedilink hide all child comments

This release fixes a security vulnerability which allows an attacker to delete images uploaded by other users. You can read the details in the security advisory. Thanks to @Nothing4You for discovering and fixing it.

An improper uploaded media ownership check can result in inadvertent deletion of media when a user is banned with content removal or purged. This can lead to deletion of media that was not uploaded by the banned/purged user. This also applies to purged communities, in which case all media posted in that community will get deleted without proper ownership check. This is limited to media with an image/* content-type returned by pict-rs.

In addition to the fun changelog:

https://join-lemmy.org/news/2025-04-08_-_Lemmy_Release_v0.19.11

top 4 comments

sorted by: hot top controversial new old

[–] [email protected] 3 points 5 days ago (2 children)

We're updated as of now!

[–] [email protected] 1 points 4 days ago

Great!

[–] [email protected] 1 points 4 days ago

Thank you!

[–] Nothing4You 4 points 1 week ago

I messaged @[email protected] on matrix about this a while back already, before it was published. this is easily backported to 0.19.8, most likely even with the custom blahaj patches. i'm not sure it was applied though, as i didn't hear back from her unfortunately.