Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
techhub.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A hub primarily for passionate technologists, but everyone is welcome

Administered by:

Server stats:

5.4K
active users

techhub.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.6

#webfinger

2 posts2 participants0 posts today
Public *
Dendrobatus Azureus

Have you ever asked yourself how the BSD Café Mastodon instance was built?

Stefano has written here what he has done. You should have at least rudimentary knowledge of what a jail is in order to follow everything and at least a simple manner.

In short a jail is much more efficient than a VM, uses much less resources and it's easier to control

If you take the time to Study all the subjects, you will be a will to build a freeBSD instance of Mastodon yourself; all the information necessary Is provided Here and Deep to very Deep details you can dig up yourself

wiki.bsd.cafe/bsdcafe-technica

🖋️ #bash #sh #zsh #ksh #csh #tsh #programming #JavaScript #Mastodon #freeBSD #ngix #json #POSIX #SocialMedia #webfinger

screenshot of the BSD Cafe Wiki's technical details page.  The top shows the site title 'BSD Cafe Wiki' and a small logo. The main content details the infrastructure, which uses FreeBSD with IPv4 and IPv6 connectivity. It explains that the base setup is divided into jails, with one jail hosting Nginx as a reverse proxy, managing certificates, and directing traffic to the 'element.bsd.cafe Matrix web client'.  A URL, 'wiki.bsd.cafe/bsdcafe-technical-details', is also visible at the bottom."
Public *
Dendrobatus Azureus

I have had an account on an instance where the System Operator had to shut down because the operational costs were too high to sustain the node. All proper precautions were made and the operator gave us more than six weeks to get all of our followers moved somewhere else. He also made sure that everybody got the message by sending it multiple times also through email. I've made an account there because that place was bot Friendly {botsin.space/} and I was going to Create a bot on that instance

However, since I put so few toots out there, on that account I didn't even bother to download them. And since I'm quite aware of high internet costs, I also make sure that I have accounts on different places because in the end somebody is paying for it either in cash or paying for it by using Surplus bandwidth and surplus disc area space.

We as Fediverse Community users should realise that nothing is free apart from Air and Water; everything else cost either Time, Space_Time or Energy, often a combination of the latter two.

I've just checked and botsin.space/ still seems to be up as a read-only instance.

@altbot

🖋️ #bash #sh #zsh #ksh #csh #tsh #programming #JavaScript #Mastodon #freeBSD #ngix #json  #POSIX #SocialMedia #webfinger

Public *
Dendrobatus Azureus

In this article Stefano explains to you how to use a web finger system so that people can always find your address

An important message here is that _you should always own your data_. So do not rely on cloud or web services to maintain your data. Always remember that many of those massive conglomerates use your data and sell it, literally sell it, or the metadata off it, to the highest bidder

Within the Fediverse it's easy to migrate from one server to the next, your followers will automatically follow your new account

it-notes.dragas.net/2024/10/08

🖋️ #bash #sh #zsh #ksh #csh #tsh #programming #JavaScript #Mastodon #freeBSD #ngix #json #POSIX #SocialMedia #webfinger

screenshot shows code in a dark-themed code editor, beginning with curl "https://dragas.it/.well-known/. Below is a JSON-formatted data structure with keys like "subject", "aliases", and "links", containing URLs related to Mastodon instances and webfinger. The code is followed by text that states, "In this case, everything works perfectly. When you search for my email address from any fediverse instance, my BSD profile will appear." The word "BSD" is highlighted.
Continued thread
Public
Fedify: an ActivityPub server framework

FedifyのWebFinger実装における脆弱性CVE-2025-23221に対するセキュリティアップデート(1.0.141.1.111.2.111.3.4)をリリースいたしました。すべてのユーザー様におかれましては、お使いのバージョンに応じた最新版への速やかなアップデートを推奨いたします。

脆弱性の詳細

セキュリティ研究者により、FedifyのlookupWebFinger()関数において以下のセキュリティ上の問題が発見されました:

  • 無限リダイレクトループによるサービス拒否攻撃(DoS)の可能性
  • プライベートネットワークアドレスへのリダイレクトを利用したSSRF(サーバーサイドリクエストフォージェリ)攻撃の可能性
  • リダイレクト操作による意図しないURLスキームへのアクセスの可能性

修正されたバージョン

  • 1.3.xシリーズ:1.3.4へアップデート
  • 1.2.xシリーズ:1.2.11へアップデート
  • 1.1.xシリーズ:1.1.11へアップデート
  • 1.0.xシリーズ:1.0.14へアップデート

変更内容

本セキュリティアップデートでは、以下の修正が実施されました:

  1. 無限リダイレクトループを防ぐため、最大リダイレクト回数(5回)の制限を導入
  2. 元のリクエストと同じスキーム(HTTP/HTTPS)のみにリダイレクトを制限
  3. SSRFを防止するため、プライベートネットワークアドレスへのリダイレクトをブロック

アップデート方法

以下のコマンドで最新のセキュアバージョンにアップデートできます:

# npmユーザーの場合
npm update @fedify/fedify

# Denoユーザーの場合
deno add jsr:@fedify/fedify

この脆弱性を責任を持って報告していただいたセキュリティ研究者の方に感謝申し上げます。迅速な対応が可能となりました。

本脆弱性の詳細については、セキュリティ勧告をご参照ください。

ご質問やご懸念がございましたら、GitHub DiscussionsMatrixチャットスペース、またはDiscordサーバーまでお気軽にご連絡ください。

### Summary This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security...
GitHubInfinite loop and Blind SSRF found inside the WebFinger mechanism### Summary This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security...
#Fedify#WebFinger#セキュリティ
Continued thread
Public *
Fedify: an ActivityPub server framework

#Fedify 프레임워크의 #WebFinger 구현에서 발견된 보안 취약점 CVE-2025-23221을 해결하기 위한 보안 업데이트(1.0.14, 1.1.11, 1.2.11, 1.3.4)를 배포했습니다. 모든 사용자께서는 각자 사용 중인 버전에 해당하는 최신 버전으로 즉시 업데이트하시기를 권장합니다.

취약점 내용

보안 연구자가 Fedify의 lookupWebFinger() 함수에서 다음과 같은 보안 문제점들을 발견했습니다:

  • 무한 리다이렉트 루프를 통한 서비스 거부 공격 가능
  • 내부 네트워크 주소로의 리다이렉트를 통한 SSRF (서버측 요청 위조) 공격 가능
  • 리다이렉트 조작을 통한 의도하지 않은 URL 스킴 접근 가능

수정된 버전

  • 1.3.x 시리즈: 1.3.4로 업데이트
  • 1.2.x 시리즈: 1.2.11로 업데이트
  • 1.1.x 시리즈: 1.1.11로 업데이트
  • 1.0.x 시리즈: 1.0.14로 업데이트

변경 사항

이번 보안 업데이트에는 다음과 같은 수정 사항이 포함되어 있습니다:

  1. 무한 리다이렉트 루프를 방지하기 위해 최대 리다이렉트 횟수 제한(5회) 도입
  2. 원래 요청과 동일한 스킴(HTTP/HTTPS)으로만 리다이렉트 허용하도록 제한
  3. SSRF 공격 방지를 위해 내부 네트워크 주소로의 리다이렉트 차단

업데이트 방법

다음 명령어로 최신 보안 버전으로 업데이트하실 수 있습니다:

# npm 사용자의 경우
npm update @fedify/fedify

# Deno 사용자의 경우
deno add jsr:@fedify/fedify

이 취약점을 책임감 있게 보고해 주신 보안 연구자께 감사드립니다. 덕분에 신속하게 문제를 해결할 수 있었습니다.

이 취약점에 대한 자세한 내용은 보안 권고문을 참고해 주시기 바랍니다.

문의 사항이나 우려 사항이 있으시다면 GitHub DiscussionsMatrix 채팅방, 또는 Discord 서버를 통해 언제든 연락해 주시기 바랍니다.

### Summary This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security...
GitHubInfinite loop and Blind SSRF found inside the WebFinger mechanism### Summary This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security...
#보안#보안패치#취약점
Public
Fedify: an ActivityPub server framework

We have released #security updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a #vulnerability in #Fedify's #WebFinger implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Released on January 21, 2025. Fixed several security vulnerabilities of the lookupWebFinger() function. [CVE-2025-23221] Fixed a security vulnerability where the lookupWebFinger() function had ...
GitHubRelease Fedify 1.0.14 · dahlia/fedifyReleased on January 21, 2025. Fixed several security vulnerabilities of the lookupWebFinger() function. [CVE-2025-23221] Fixed a security vulnerability where the lookupWebFinger() function had ...
Replied in thread
Public
Nordnick 🐘

@galileo@mstdn.animexx.de @nick@norden.social @uwe@schraepler.de

Moin.

Heute dann auch mal von einer eigenen Instanz.

Multiple Domains auf einer Instanz im #Fediverse via #ActivityPub könnte man mal gedanklich durchspielen.

Als erstes sollte wohl ein #WebFinger-Aufruf funktionieren.

Aber zunächst mal Details der Anforderung: Was genau sollen die Leute an ihrer Domain behalten bzw. was sollte an Konfiguration und technischen Details möglich sein?

Replied in thread
Public
David Zappelli

@point5a @Vivaldi @johnbeen So, I happened to get my #VivaldiMail address, after all. I previously did it, but I still need to set it up in on my #MacBook app for downloading. Meanwhile, I also now have a secondary #Mastodon account at #VivaldiSocial.
I have also been completing my #Fediverse, #Mastodon, #BlueSky, and other connections at #WordPress, thanks to #ActivityPub, #Jetpack, #Webfinger, #Friends, #Hum, #Webmention, and other #plugins. Thanks also to people like @pfefferle and many others who have been making these plugin applications happen over the years. Big improvements! Almost there in my setup… getting better everyday. I’ve been incredibly productive, and on the way! Thanks to the community here!! @mastodonmigration too.

ExploreLive feeds
About