hollo (@hollo@hollo.social)
보안 업데이트: Hollo 0.6.19 릴리스
Fedify의 HTML 파싱 코드에서 발견된 보안 취약점을 수정한 Hollo 0.6.19를 릴리스했습니다.
이 취약점(CVE-2025-68475)은 ReDoS(정규 표현식 서비스 거부) 문제로, 공격자가 연합 작업 중 특수하게 조작된 HTML 응답을 보내 서비스 장애를 유발할 수 있습니다. 악성 페이로드는 작지만(약 170바이트), Node.js 이벤트 루프를 장시간 차단할 수 있습니다.
모든 Hollo 운영자분들께 즉시 버전 0.6.19로 업그레이드하실 것을 강력히 권고드립니다.
항목 상세 CVE CVE-2025-68475 심각도 높음 (CVSS 7.5) 조치 Hollo 0.6.19로 업그레이드#Hollo #보안 #페디버스 #연합우주 #ActivityPub
Show Original Post
hollo (@hollo@hollo.social)
Security Update: Hollo 0.6.19 Released
We have released Hollo 0.6.19 to address a security vulnerability in Fedify's HTML parsing code.
This vulnerability (CVE-2025-68475) is a ReDoS (Regular Expression Denial of Service) issue that could allow an attacker to cause service unavailability by sending specially crafted HTML responses during federation operations. The malicious payload is small (approximately 170 bytes) but can block the Node.js event loop for extended periods.
We strongly recommend all Hollo operators upgrade to version 0.6.19 immediately.
Field Details CVE CVE-2025-68475 Severity High (CVSS 7.5) Action Upgrade to Hollo 0.6.19#Hollo #Security #Fediverse #ActivityPub
Show Original Post
objects (@objects@fe.disroot.org)
Bueno, pues ya usando mi cuenta de Disroot en Tokodon PC. Parece que ya han mejorado el soporte para cuentas Akkoma y demás, tengo que ir trasteando a ver que mejoras más hay
#Tokodon #Mastodon #Activitypub
Show Original Post
bob (@bob@epicyon.libreserver.org)
I mean, if you really want end to end encryption then just put a contact for that into your profile and then if someone wants to securely DM you they can, and they have the properly implemented and battle tested double ratchet and all that. But no, apparently that's not good enough and it has to be a one stop shop and every fediverse implementation will have to roll its own end-to-end crypto, probably with years of interop bugs and leaks ahead.
#security #sigh #ActivityPub
Show Original Post
daniel (@daniel@gultsch.social)
I consider this a failure on our part but I don’t really know what to do about it. Most arguments against #XMPP don’t hold if you’re building from scratch anyway:
• #Conversations_im looks very outdated: OK, but you are developing your own clients anyway.
• XMPP doesn’t have an SDK: Neither does your #ActivityPub or email stack
• OMEMO is insecure and I would prefer #MLS: Yes, let’s work on that together and you’ll still benefit from XMPP’s 100+ solved IM problems.
Show Original Post
smallcircles (@smallcircles@social.coop)
Fabulous! I took note in the #ActivityPub #C2S tracking issue I keep on the delightful #fediverse experience curated list.
https://codeberg.org/fediverse/delightful-fediverse-experience/issues/130#issuecomment-9083289
Show Original Post
daniel (@daniel@gultsch.social)
As a community, we often ask ourselves how to attract more users to #XMPP. Yet the real tragedy is that people would rather build something entirely new (loosely based on email or #ActivityPub) than consider XMPP. Need end-to-end encryption by default? If compatibility with existing XMPP clients is a secondary concern, you can implement it in your own solution while still benefiting from our two decades of experience in instant messaging.
Show Original Post
Schusterei (@Schusterei@digitalcourage.social)
Wenn ihr vom #Fediverse sprecht, ist dann #Threads mitgemeint?
Und glaubt ihr, dass es jemand komplett föderieren wird, inklusive Account-Portability?
Show Original Post
fedify (@fedify@hollo.social)
🚨 Security Advisory: CVE-2025-68475
A ReDoS (Regular Expression Denial of Service) vulnerability has been discovered in Fedify's HTML parsing code. This vulnerability could allow a malicious federated server to cause denial of service by sending specially crafted HTML responses.
CVE ID CVE-2025-68475 Severity High (CVSS 7.5) Affected versions ≤1.9.1 Patched versions 1.6.13, 1.7.14, 1.8.15, 1.9.2If you're running Fedify in production, please upgrade to one of the patched versions immediately.
For full details, see the security advisory: https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93
Thank you to Yue (Knox) Liu for responsibly reporting this vulnerability.
#Fedify #ActivityPub #security #fediverse #fedidev
Show Original Post
django (@django@social.coop)
I’ll be discussing #ActivityPub #c2s api at #fosdem
https://fosdem.org/2026/schedule/event/QK7XSV-activitypub-c2s/
Show Original Post
johan (@johan@tilde.zone)
В #ActivityPub грозятся завезти #E2EE. Но нескоро.
https://socialwebfoundation.org/2025/12/19/implementing-encrypted-messaging-over-activitypub/
Show Original Post
phillycodehound (@phillycodehound@indieweb.social)
Did you know that I have a website where I curate apps, websites, and resources for not only the Fediverse (ActivityPub) but for ATProto as well?
Check it out here: https://qrurls.app/fediverseresources/
I'm always looking for contributors and assistant curators. Reach out if you're interested.
#FediverseResources #ATProtoResources #BlueskyResources #fediverse #atproto #activitypub
Show Original Post