Skip to content

Fedify 1.2.11
Compare
Choose a tag to compare
@github-actions github-actions released this 20 Jan 16:04
· 158 commits to main since this release
1.2.11
This tag was signed with the committer’s verified signature.
dahlia Hong Minhee (洪 民憙)
GPG key ID: C429ECD57EED6CCA
Verified
Learn about vigilant mode.
d47268b
This commit was signed with the committer’s verified signature.
dahlia Hong Minhee (洪 民憙)
GPG key ID: C429ECD57EED6CCA
Verified
Learn about vigilant mode.

Released on January 21, 2025.

  • Fixed several security vulnerabilities of the lookupWebFinger() function. [CVE-2025-23221]

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects.

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request.

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses.

Assets 9
Loading