|
Top-level
 There have been two sets of CVEs that were released for Mastodon this year. One set on July 6, and one set on September 19. The July 6 set was particularly serious, and there was a big push to get folks to upgrade off 4.1.2 and other vulnerable branches. According to FediDB data, 16.2% of instances are remaining on versions still exposed by the July 6 CVEs or an unknown end of life versions that wasn't evaluated but may contain those same issues. 33.0% are impacted by the September 19 CVEs. 8 comments
I'm not a statistician, but there are a few things to consider in all this. FediDB is a really good source of truth, but there is no single source of who runs what versions. There is a possibility that folks individually patched their instances with the relevant CVE fixes but otherwise remained on older versions. There are a number of dead instances in FediDB, where they may have been polled when their version was the latest and greatest, and then disappeared from the Fediverse.   @thisismissem @vmstan @Gargron The information is there in the api which known instances could be sampled daily. Only it might get complicated with instances not using Mastodon. Perhaps introducing a unique version code like mstdn.4.x.x or kbin.x.x.x might help. Vulnerabilities occur elsewhere. Might be useful if a gihub account of another distribution gets compromised and they need to be locked out until proven safe. Just a suggestion going forward if other distributions would co-operate. |
Gregory's Server
@vmstan I wonder if bad actors could use outdated instances to attack the up-to-date ones? Is there some setting somewhere to "break up" with instances that are X days/versions out of date?