Gregory's Server
(IMPORTANT, PLEASE REPOST)
I discovered a high-severity vulnerability within BloatFE, which extends to 8bloat. I am going to release a patch in 48 hours from this post that fixes the issues. Additionally @r will push a fix to the upstream repository.
There is no known version that is unaffected. There is no evidence this issue has been exploited in the wild.
In the meantime, to stay safe:
Admins: Completely shut off your instances of (8)bloat and wait for the patch to be released in the coming days. Do not run the server until this fix has been applied.
Users: Stop using the client and wait for more information in the coming days. Do not use the client until this fix has been applied.
(These are fairly generic instructions, I'm avoiding disclosing the nature of the issue at this time.)
There will be a few options once the patch is released:
1. If you're running Upstream Bloat, there will be a commit merged on the git repository to fix the issue. If you're running from git, you can run git pull. Similarly for 8bloat, we will push a fix you can pull. I will release this as pseudoversion v0.0.1.
2. If you're unable to pull down the commit, you can manually apply it using an unofficial patch that I will attach to the post. I will also attach a similar patch for 8bloat.
3. If you're unable to do either of the above, I will provide instructions for admins to mitigate the issue in BloatFE/8bloat.
In addition, I found a niche, low-severity issue that is unlikely to affect people and requires a very specific configuration.
Please spread the word, and let anyone who runs this client know about the issue.
I discovered a high-severity vulnerability within BloatFE, which extends to 8bloat. I am going to release a patch in 48 hours from this post that fixes the issues. Additionally @r will push a fix to the upstream repository.
There is no known version that is unaffected. There is no evidence this issue has been exploited in the wild.
In the meantime, to stay safe:
Admins: Completely shut off your instances of (8)bloat and wait for the patch to be released in the coming days. Do not run the server until this fix has been applied.
Users: Stop using the client and wait for more information in the coming days. Do not use the client until this fix has been applied.
(These are fairly generic instructions, I'm avoiding disclosing the nature of the issue at this time.)
There will be a few options once the patch is released:
1. If you're running Upstream Bloat, there will be a commit merged on the git repository to fix the issue. If you're running from git, you can run git pull. Similarly for 8bloat, we will push a fix you can pull. I will release this as pseudoversion v0.0.1.
2. If you're unable to pull down the commit, you can manually apply it using an unofficial patch that I will attach to the post. I will also attach a similar patch for 8bloat.
3. If you're unable to do either of the above, I will provide instructions for admins to mitigate the issue in BloatFE/8bloat.
In addition, I found a niche, low-severity issue that is unlikely to affect people and requires a very specific configuration.
Please spread the word, and let anyone who runs this client know about the issue.
They are risking users and making an issue not only for themselves but for 8bloat which is a hard independent fork. I take security issues like these seriously and they're being incredibly disrespectful and selfish instead of waiting less than two days to talk about it. Now I have to clean up the mess on my end and explain what happened to my users and leave them on constant edge during this period. This all stems from me doing a security audit on 8bloat and giving them the courtesy of working with me to make sure nobody was affected by the issue in upstream. Basic respect was not given throughout the entire process.
I'm currently monitoring for evidence of the issue being discovered. If you find evidence of an attacker finding out what it is, or if someone reveals more information that would enable an attacker to exploit the issue, please let me know so I can publish the patch early.
The issue is being downplayed now to a misleading/factually incorrect degree. DO NOT USE THE CLIENT.
I'm sorry to 8bloat users. I wish I could've seen this shit coming. I'm going to be more careful about who I disclose these kinds of issues to in the future and take a downstream-first approach.