Gregory's ServerPatch for the vulnerability in bloat that allows a malicious upstream server (Pleroma/Mastadon) to return crafted JSON data in the response of an API called by bloat to make it go out of memory and cause Denial of Service.
The attack could be performed by a malicious user by connecting to a malicious server. Technically, it doesn't have to be a Mastodon compatible server, any HTTP server that'd respond to the HTTP paths requested by bloat could work.
bloat instances running in the single instance mode are not affected assuming the specified instance doesn't serve the malicious response.
The patch applies a limit on the size of the response returned by the server, currently set to 8MiB.
https://git.freesoftwareextremist.com/bloat/commit/?id=ad38855261dca802439922f71408e2b08e7c10ea
The attack could be performed by a malicious user by connecting to a malicious server. Technically, it doesn't have to be a Mastodon compatible server, any HTTP server that'd respond to the HTTP paths requested by bloat could work.
bloat instances running in the single instance mode are not affected assuming the specified instance doesn't serve the malicious response.
The patch applies a limit on the size of the response returned by the server, currently set to 8MiB.
https://git.freesoftwareextremist.com/bloat/commit/?id=ad38855261dca802439922f71408e2b08e7c10ea