Hello everyone, the Sharkey project has been quiet due to our ongoing efforts to patch major security vulnerabilities in coordination with Firefish, Iceshrimp.js, and upstream Misskey. On Wednesday, November 20th, 2024, our efforts will be finalized with a security release for all affected projects. It is of upmost importance to update your instance(s) to the latest version if you utilize any of the aforementioned software once the patches are released.

@Sharkey glad you all could finally get this out, i know everyone’s been working their asses off to get this coordinated

@Sharkey thanks for the heads up

@Sharkey ...Firefish lives!?

@cyrus Firefish is on maintenance mode, with releases for security fixes. For that reason, we felt the need to coordinate a release with them, so they wouldn’t be off-guard.

@Sharkey@shonk.social at what time will the security release be published? i'd like to upgrade ASAP, since i run my own instance (this one!), and i'd love to be able to plan accordingly.

also, is this major enough that it's worth just shutting down my instance until i patch it? or is the impact minimal on single-user instances like my own?

cc @terrain@tech.lgbt (my other account; so i can potentially keep up with this in case i do decide to just shut down my instance out of caution)

@sodiboo @terrain we’re aiming for the evening (EST) for the release. Coordinating a release between four different forks is hard, so we can’t provide an exact time.

@Sharkey @sodiboo @terrain It’s also not really feasible to comment on the extent of what was found. I will say that there are no currently known cases of it being exploited in the wild so I do not think that you should preemptively shut down an instance until the patches are available.

@puppygirlhornypost2 @Sharkey @terrain

I do not think that you should preemptively shut down an instance until the patches are available.

yes, but what if patches become available and i am not able to upgrade right away? is it worth shutting down then? (i.e. just running a shutdown command from my phone over ssh)

@Sharkey @sodiboo @terrain Like, transfem.social has been up ever since these were founds and I am aware of the extent. Just, make sure when the patches are release you do take the instance down to apply them because it’s entirely possible people may use the patch code to figure out how to utilize the exploit in the wild unfortunately :/

@puppygirlhornypost2 @Sharkey @sodiboo @terrain est evening sounds like we may be asleep at that time, so ig still should shut it down? :/

Depends on how you define evening tho, if it’s sth like 18:00, it’s fine, if it’s like 23:00, not really

@sodiboo @Sharkey @terrain I’d say it’d be wise if you can’t apply them within the first couple hours

@Sharkey cc @fen just to be sure you are aware.

@puppygirlhornypost2 @Sharkey @sodiboo @terrain @alice ye, its not an optimal time window for european instances but i also see its pretty tough to squeeze it in a time frame which is both acceptable in the us and japan. but for that case, i would have picked something in the morning est, because then most of the night is over the pacific

@puniko @Sharkey @sodiboo @terrain @alice we eventually reached the point in which it was “now or never” and we needed to have a set date in stone. my apologies (i wasn’t part of the deciding factor of when to do the releases, but i am part of the team). it’s certainly not optimal for any of us

@puppygirlhornypost2 @Sharkey @sodiboo @terrain @alice oh, dont get me wrong, i’m not blaming anyone. i understand the reasoning behind it and its hard to coordinate over multiple projects over multiple continents. just giving my 2 cents.
also doing nightshifts is sometimes part of server admin stuff, isnt it

@puppygirlhornypost2 @Sharkey @sodiboo @terrain @alice anyways, thanks for the work and the headsup

everything happening on a wednesday... Lemon8 and TikTok "merging" and now this

nothing wrong with those.. right?

RE: https://shonk.social/notes/a0r1hmigg0yu001m

@Sharkey@shonk.social cc @gameplayer @saabria

@Sharkey the intro scared me, but good to hear! 😅