MaaStodon PSA:
We're probably fine, but i recently noticed a serious security issue (not exactly the one directly related to Mastodon).
I recommend everyone change their passwords as a precaution.
I'm sorry.
One missing firewall, two independent issues.
- Nomad was exposing environment variables though its API, which is a huge deal.
- Some pgbouncer instances may have been exposed, which is a second huge fucking deal, especially for an attacker that has already found the first one.
The issue lasted less than 12 days and is of course fixed by now, but would have given an attacker complete access to everything.
Again i consider us lucky because nothing noticeably bad has happened.
@CobaltVelvet The first one is the issue evyrone is talking about right? And the second one is the one you discovered?
@Sylvhem even better: same issue, completely different reason, noticed a few hours before
@CobaltVelvet OK, thank you!
But I didn't thought we were affected since we weren't running master?
(Sorry for all the questions, I'm trying to know what to announce.)
@Sylvhem exactly: completely different issue, same result. master exposed env vars through a file, i exposed it through an unprotected API.
@CobaltVelvet Oh thank you!
Too much hassle
I'm gonna play the odds, here
@CobaltVelvet everyone using Mastodon or just the octodon instance? O.o
@eloisa everyone using maastodon.net
@CobaltVelvet Do you think you'll be able to communicate us informations about this security issue later?