Hollo :hollo:@hollo@hollo.social

Home | Notifications | New Note | Local | Federated | Search | Logout

Hollo :hollo:@hollo@hollo.social

:hollo: A federated single-user microblogging software.




Website: https://hollo.social/



GitHub: https://github.com/fedify-dev/hollo



Fedify: https://fedify.dev/
Joined: 2026-05-11 00:47:12
4 notes, 0 following, 0 followers


Hollo :hollo:@hollo@hollo.social (2026-06-09 00:08:21)
Hollo security updates: 0.7.18, 0.8.7, and 0.9.4
If you run Hollo, update to a patched release now. CVE-2026-50131 affects Fedify's SSRF protection, and Hollo depends on Fedify for ActivityPub federation.

Fedify guards against SSRF (Server-Side Request Forgery) when fetching remote ActivityPub objects, documents, and media by validating that the resolved destination is a public IP address.  The previous SSRF fix (GHSA-p9cg-vqcc-grcx) blocked common private and local ranges such as 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, and 192.168.0.0/16, but the validation was incomplete—it still treated several special-use IPv4 ranges as public destinations that should have been rejected.  These include carrier-grade NAT (100.64.0.0/10), benchmarking and internal testing networks (198.18.0.0/15), multicast (224.0.0.0/4), reserved (240.0.0.0/4), IETF protocol assignments (192.0.0.0/24), and documentation ranges (192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24).

An attacker who controls a remote ActivityPub object or media URL could therefore cause a Hollo instance to initiate outbound requests to non-public or special-use network ranges, depending on the deployment environment and network routing.

For full technical details of the underlying vulnerability, see the Fedify security advisory and the Fedify security announcement.

All Hollo versions up to and including 0.7.17, 0.8.6, and 0.9.3 are affected.  Patched releases are 0.7.18 for the 0.7.x series, 0.8.7 for the 0.8.x series, and 0.9.4 for the 0.9.x series.

For 0.7.x deployments, update to 0.7.18:


docker pull ghcr.io/fedify-dev/hollo:0.7.18
For 0.8.x deployments, update to 0.8.7:


docker pull ghcr.io/fedify-dev/hollo:0.8.7
For 0.9.x deployments, update to 0.9.4:


docker pull ghcr.io/fedify-dev/hollo:0.9.4
After pulling the new image, restart your Hollo container.  If you deploy from source, pull the corresponding release tag and restart.

Thanks to Chaitanya Vilas Garware for the report and responsible d

Hollo :hollo:@hollo@hollo.social (2026-05-21 02:39:43)
Hollo security updates: 0.7.17, 0.8.6, and 0.9.1
If you run Hollo, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling, and Hollo depends on Fedify for ActivityPub federation.

Fedify verifies incoming ActivityPub activities with several mechanisms, including HTTP Signatures, Object Integrity Proofs, and Linked Data Signatures. The vulnerable path is Linked Data Signatures: the signature is checked over the canonical RDF graph, but JSON-LD can represent the same graph in more than one JSON shape. In affected versions, that gap could let a signed activity be reshaped so that Fedify reads a different ActivityPub object shape than intended—without invalidating the signature.

The fix makes Fedify normalize Linked Data Signature-verified activities against its local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape. For full technical details of the underlying vulnerability, see the Fedify security announcement.

All Hollo versions up to and including 0.7.16, 0.8.5, and 0.9.0 are affected. Patched releases are 0.7.17 for the 0.7.x series, 0.8.6 for the 0.8.x series, and 0.9.1 for the 0.9.x series.

For 0.7.x deployments, update to 0.7.17:

docker pull ghcr.io/fedify-dev/hollo:0.7.17
For 0.8.x deployments, update to 0.8.6:

docker pull ghcr.io/fedify-dev/hollo:0.8.6
For 0.9.x deployments, update to 0.9.1:

docker pull ghcr.io/fedify-dev/hollo:0.9.1
After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

Thanks to @Claire for the report and responsible disclosure to the Fedify project.

If anything is unclear, ask below.

Hollo :hollo:@hollo@hollo.social (2026-05-19 12:00:52)
Hollo security updates: 0.7.16 and 0.8.5
If you run Hollo, update to a patched release now. Hollo 0.7.16 and 0.8.5 fix several security issues in ActivityPub federation, the web admin UI, OAuth, and the transitive fast-xml-parser dependency.

On the federation side, three inbox handlers were missing authorization checks. Any remote actor could send a Delete to remove any cached post by IRI, an Update to overwrite or first-materialize a cached post under another actor's name, or a cross-origin Announce whose attacker-controlled embedded body materialized as someone else's post. The checks now differ by activity type. A Delete is ignored unless the deleter's origin matches the cached post author's origin. An Update is ignored unless the activity actor, the embedded object's id, and its attributedTo all share an origin. For Announce, Hollo no longer trusts attacker-supplied embedded content to create or overwrite the original post: unknown cross-origin objects are fetched from their canonical URL, and any newly cached object must have matching id and attributedTo origins. Separately, Follow, Like, EmojiReact, and Announce from a blocked actor were processed normally and still produced notifications; they are now silently dropped at the inbox.

On the web admin side, login and OTP cookies were set without HttpOnly, SameSite, or Secure, and state-changing forms had no Origin or Sec-Fetch-Site check. A single reflected XSS could exfiltrate the admin session, and a malicious page could submit a hidden cross-site form to disable 2FA, delete an account, or silently authorize a rogue OAuth application. The affected dashboard routes and POST /oauth/authorize now run Hono's CSRF middleware, and the login and OTP cookies now carry those attributes.

The transitive fast-xml-parser (carried in via the AWS SDK that backs S3 storage) is now pinned to patched versions, closing one critical and several high-severity advisories. Hollo also now uses constant-time comparison fo


Hollo :hollo:@hollo@hollo.social (2026-05-10 23:42:19)
Hollo security updates: 0.7.15 and 0.8.3
If you run Hollo, update to a patched release now.  A private network protection bypass in Fedify, the ActivityPub framework Hollo depends on, affects remote document loading.  URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals, such as http://[::ffff:7f00:1]/, could pass URL validation even though they refer to private or loopback addresses.

Hollo uses Fedify to fetch remote ActivityPub documents and related resources.  An attacker who can make your Hollo instance fetch an attacker-controlled URL may be able to bypass the private address checks that are intended to reduce SSRF (Server-Side Request Forgery) risk.

All Hollo versions up to and including 0.7.14 and 0.8.2 are affected.  Patched releases are 0.7.15 for the 0.7.x series and 0.8.3 for the 0.8.x series.  For full technical details of the underlying vulnerability, see the Fedify security announcement.

For 0.7.x deployments, update to 0.7.15:


docker pull ghcr.io/fedify-dev/hollo:0.7.15
For 0.8.x deployments, update to 0.8.3:


docker pull ghcr.io/fedify-dev/hollo:0.8.3
After pulling the new image, restart your Hollo container.  If you deploy from source, pull the corresponding release tag and restart.

Thanks to Changkyun Kim (@me) for the report and responsible disclosure to the Fedify project.

If anything is unclear, ask below.