Hollo security updates: 0.7.15 and 0.8.3 #471
dahlia
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
If you run Hollo, update to a patched release now. A private network protection bypass in Fedify, the ActivityPub framework Hollo depends on, affects remote document loading. URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals, such as
http://[::ffff:7f00:1]/, could pass URL validation even though they refer to private or loopback addresses.Hollo uses Fedify to fetch remote ActivityPub documents and related resources. An attacker who can make your Hollo instance fetch an attacker-controlled URL may be able to bypass the private address checks that are intended to reduce SSRF (Server-Side Request Forgery) risk.
All Hollo versions up to and including 0.7.14 and 0.8.2 are affected. Patched releases are 0.7.15 for the 0.7.x series and 0.8.3 for the 0.8.x series. For full technical details of the underlying vulnerability, see the Fedify security announcement.
For 0.7.x deployments, update to 0.7.15:
For 0.8.x deployments, update to 0.8.3:
After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.
Thanks to @comfuture for the report and responsible disclosure to the Fedify project.
If anything is unclear, ask below.
Beta Was this translation helpful? Give feedback.
All reactions