Home | Notifications | New Note | Local | Federated | Search | Logout
Federated Timeline
Reply to @Coro@mstdn.maud.io
Coro@Coro@mstdn.maud.io (2026-06-09 01:13:08)
紅海封鎖は危機収束を早める可能性もあるかもしれない。
Coro@Coro@mstdn.maud.io boosted:
@akahana@social.vivaldi.net (2026-06-09 01:01:26)
まず名前が卑怯だろ
> 富大生らが制作した、政治家になりきって汚職を体験するボードゲーム「ぜいきんであそぼ」
- 田畑氏と「汚職ゲーム」 大学生、政治のあり方学ぶ 富大生が考案、政策判断体験|地域|富山のニュース|富山新聞
https://www.hokkoku.co.jp/articles/tym/2131852
アカハナ@@akahana@social.vivaldi.net (2026-06-09 01:01:26)
まず名前が卑怯だろ
> 富大生らが制作した、政治家になりきって汚職を体験するボードゲーム「ぜいきんであそぼ」
- 田畑氏と「汚職ゲーム」 大学生、政治のあり方学ぶ 富大生が考案、政策判断体験|地域|富山のニュース|富山新聞
https://www.hokkoku.co.jp/articles/tym/2131852
fedicat@fedicat@pc.cafe boosted:
@Punah@loops.video (2026-06-09 00:30:38)
Working on adding Starter Kits. The UI/UX is definitely not final but it works. It's super cool that more platforms Like Loops and now Mastodon have it.
#Loops #LoopsDev #StarterKits #Punah #PunahApp
---Attachments---
video: https://loopsusercontent.com/videos/286957193274361512/290697669109046604/uDQTOa3LaFwRqhZgE0lhsdg2uXGTjVloh6zHVj97.720p.mp4
fedicat@fedicat@pc.cafe boosted:
@hollo@hollo.social (2026-06-09 00:08:21)
Hollo security updates: 0.7.18, 0.8.7, and 0.9.4
If you run Hollo, update to a patched release now. CVE-2026-50131 affects Fedify's SSRF protection, and Hollo depends on Fedify for ActivityPub federation.
Fedify guards against SSRF (Server-Side Request Forgery) when fetching remote ActivityPub objects, documents, and media by validating that the resolved destination is a public IP address. The previous SSRF fix (GHSA-p9cg-vqcc-grcx) blocked common private and local ranges such as 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, and 192.168.0.0/16, but the validation was incomplete—it still treated several special-use IPv4 ranges as public destinations that should have been rejected. These include carrier-grade NAT (100.64.0.0/10), benchmarking and internal testing networks (198.18.0.0/15), multicast (224.0.0.0/4), reserved (240.0.0.0/4), IETF protocol assignments (192.0.0.0/24), and documentation ranges (192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24).
An attacker who controls a remote ActivityPub object or media URL could therefore cause a Hollo instance to initiate outbound requests to non-public or special-use network ranges, depending on the deployment environment and network routing.
For full technical details of the underlying vulnerability, see the Fedify security advisory and the Fedify security announcement.
All Hollo versions up to and including 0.7.17, 0.8.6, and 0.9.3 are affected. Patched releases are 0.7.18 for the 0.7.x series, 0.8.7 for the 0.8.x series, and 0.9.4 for the 0.9.x series.
For 0.7.x deployments, update to 0.7.18:
docker pull ghcr.io/fedify-dev/hollo:0.7.18
For 0.8.x deployments, update to 0.8.7:
docker pull ghcr.io/fedify-dev/hollo:0.8.7
For 0.9.x deployments, update to 0.9.4:
docker pull ghcr.io/fedify-dev/hollo:0.9.4
After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.
Thanks to Chaitanya Vilas Garware for the report and responsible d
fedicat@fedicat@pc.cafe boosted:
@mkljczk@pl.fediverse.pl (2026-06-09 00:10:37)
meow?
---Attachments---
image: https://mediapl.fediverse.pl/media/a5/28/45/a528450d84413f612027af1809c361504a69d48acd2699d94ce1b6c8df6c7b7a.png
fedicat@fedicat@pc.cafe boosted:
@botkit@hollo.social (2026-06-09 00:20:09)
BotKit security updates: 0.3.4 and 0.4.3
If you use BotKit, update to a patched release now. CVE-2026-50131 affects Fedify's SSRF protection for remote document and media loading, and BotKit inherits the exposure through its dependency on Fedify.
Fedify validates remote ActivityPub document and media URLs before fetching them, including direct IP literals and hostnames resolved through DNS, to protect against Server-Side Request Forgery (SSRF). The vulnerable path is validatePublicUrl(): affected versions rejected common private and local addresses, but still treated several special-use IPv4 ranges—including carrier-grade NAT, benchmarking, multicast, reserved, and documentation networks—as public internet destinations. An attacker could use these special-use IP address ranges to bypass Fedify's SSRF protections and cause a BotKit server to initiate requests to non-public or special-use network destinations, depending on the deployment environment and network routing.
The fix makes Fedify validate resolved addresses against public-network expectations instead of relying on the incomplete denylist. It rejects additional special-use IPv4 ranges before remote document or media fetching proceeds.
All versions of BotKit up to 0.3.3 (in the 0.3.x branch) and 0.4.2 (in the 0.4.x branch) are affected. Patched releases are 0.3.4 and 0.4.3.
For BotKit 0.4.x, update @fedify/botkit:
npm update @fedify/botkit
yarn upgrade @fedify/botkit
pnpm update @fedify/botkit
bun update @fedify/botkit
deno update @fedify/botkit
For BotKit 0.3.x, update @fedify/botkit:
npm update @fedify/botkit@0.3.4
yarn upgrade @fedify/botkit@0.3.4
pnpm update @fedify/botkit@0.3.4
bun update @fedify/botkit@0.3.4
deno update @fedify/botkit@0.3.4
After updating, redeploy. The GitHub Security Advisory is GHSA-xw9q-2mv6-9fr8, and the CVE ID is CVE-2026-50131. See also fedify-dev/fedify#796 for Fedify's own announcement.
Thanks to Chaitanya Vilas Garware for the report and responsible
fedicat@fedicat@pc.cafe boosted:
@stefan@stefanbohacek.online (2026-06-09 00:22:48)
RE: https://mastodon.iftas.org/@iftas/116715105294380557
Heads-up! I know I have a few mutuals on this server.
Punah:@Punah@loops.video (2026-06-09 00:30:38)
Working on adding Starter Kits. The UI/UX is definitely not final but it works. It's super cool that more platforms Like Loops and now Mastodon have it.
#Loops #LoopsDev #StarterKits #Punah #PunahApp
---Attachments---
video: https://loopsusercontent.com/videos/286957193274361512/290697669109046604/uDQTOa3LaFwRqhZgE0lhsdg2uXGTjVloh6zHVj97.720p.mp4
Stefan Bohacek@stefan@stefanbohacek.online (2026-06-09 00:22:48)
RE: https://mastodon.iftas.org/@iftas/116715105294380557
Heads-up! I know I have a few mutuals on this server.
Reply to @stefan@stefanbohacek.online
fedicat@fedicat@pc.cafe (2026-06-09 00:21:42)
@stefan pretty cool!
---Attachments---
image: https://cdn.masto.host/pccafe/media_attachments/files/116/715/166/204/456/561/original/c8acd9ff42bfe491.jpeg
BotKit by Fedify :botkit:@botkit@hollo.social (2026-06-09 00:20:09)
BotKit security updates: 0.3.4 and 0.4.3
If you use BotKit, update to a patched release now. CVE-2026-50131 affects Fedify's SSRF protection for remote document and media loading, and BotKit inherits the exposure through its dependency on Fedify.
Fedify validates remote ActivityPub document and media URLs before fetching them, including direct IP literals and hostnames resolved through DNS, to protect against Server-Side Request Forgery (SSRF). The vulnerable path is validatePublicUrl(): affected versions rejected common private and local addresses, but still treated several special-use IPv4 ranges—including carrier-grade NAT, benchmarking, multicast, reserved, and documentation networks—as public internet destinations. An attacker could use these special-use IP address ranges to bypass Fedify's SSRF protections and cause a BotKit server to initiate requests to non-public or special-use network destinations, depending on the deployment environment and network routing.
The fix makes Fedify validate resolved addresses against public-network expectations instead of relying on the incomplete denylist. It rejects additional special-use IPv4 ranges before remote document or media fetching proceeds.
All versions of BotKit up to 0.3.3 (in the 0.3.x branch) and 0.4.2 (in the 0.4.x branch) are affected. Patched releases are 0.3.4 and 0.4.3.
For BotKit 0.4.x, update @fedify/botkit:
npm update @fedify/botkit
yarn upgrade @fedify/botkit
pnpm update @fedify/botkit
bun update @fedify/botkit
deno update @fedify/botkit
For BotKit 0.3.x, update @fedify/botkit:
npm update @fedify/botkit@0.3.4
yarn upgrade @fedify/botkit@0.3.4
pnpm update @fedify/botkit@0.3.4
bun update @fedify/botkit@0.3.4
deno update @fedify/botkit@0.3.4
After updating, redeploy. The GitHub Security Advisory is GHSA-xw9q-2mv6-9fr8, and the CVE ID is CVE-2026-50131. See also fedify-dev/fedify#796 for Fedify's own announcement.
Thanks to Chaitanya Vilas Garware for the report and responsible
:hosimiya_mion::star_stroke:@hos1miya@misskey.0sakana.xyz (2026-06-09 00:12:44)
3分で730席が埋まる公開16週目の映画 #とは
nicole mikołajczyk@mkljczk@pl.fediverse.pl (2026-06-09 00:10:37)
meow?
---Attachments---
image: https://mediapl.fediverse.pl/media/a5/28/45/a528450d84413f612027af1809c361504a69d48acd2699d94ce1b6c8df6c7b7a.png
Hollo :hollo:@hollo@hollo.social (2026-06-09 00:08:21)
Hollo security updates: 0.7.18, 0.8.7, and 0.9.4
If you run Hollo, update to a patched release now. CVE-2026-50131 affects Fedify's SSRF protection, and Hollo depends on Fedify for ActivityPub federation.
Fedify guards against SSRF (Server-Side Request Forgery) when fetching remote ActivityPub objects, documents, and media by validating that the resolved destination is a public IP address. The previous SSRF fix (GHSA-p9cg-vqcc-grcx) blocked common private and local ranges such as 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, and 192.168.0.0/16, but the validation was incomplete—it still treated several special-use IPv4 ranges as public destinations that should have been rejected. These include carrier-grade NAT (100.64.0.0/10), benchmarking and internal testing networks (198.18.0.0/15), multicast (224.0.0.0/4), reserved (240.0.0.0/4), IETF protocol assignments (192.0.0.0/24), and documentation ranges (192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24).
An attacker who controls a remote ActivityPub object or media URL could therefore cause a Hollo instance to initiate outbound requests to non-public or special-use network ranges, depending on the deployment environment and network routing.
For full technical details of the underlying vulnerability, see the Fedify security advisory and the Fedify security announcement.
All Hollo versions up to and including 0.7.17, 0.8.6, and 0.9.3 are affected. Patched releases are 0.7.18 for the 0.7.x series, 0.8.7 for the 0.8.x series, and 0.9.4 for the 0.9.x series.
For 0.7.x deployments, update to 0.7.18:
docker pull ghcr.io/fedify-dev/hollo:0.7.18
For 0.8.x deployments, update to 0.8.7:
docker pull ghcr.io/fedify-dev/hollo:0.8.7
For 0.9.x deployments, update to 0.9.4:
docker pull ghcr.io/fedify-dev/hollo:0.9.4
After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.
Thanks to Chaitanya Vilas Garware for the report and responsible d
fedicat@fedicat@pc.cafe boosted:
@stefan@stefanbohacek.online (2026-06-08 21:48:51)
A little tool I made to "fediversify" your profile image.
https://avatars.jointhefediverse.net
Hope you'll like it!
#fediverse
Reply to @hos1miya@misskey.0sakana.xyz
:hosimiya_mion::star_stroke:@hos1miya@misskey.0sakana.xyz (2026-06-09 00:04:17)
2分で埋まっててワロタ
#超かぐや姫
---Attachments---
image: https://misskey.0sakana.xyz/files/webpublic-f8ca74a5-d9ab-46e8-a32b-ddd54184e7fc
fedicat@fedicat@pc.cafe boosted:
@stefan@stefanbohacek.online (2026-06-08 21:50:31)
Inspired by this recent "promo image" for the fediverse zine I made.
https://stefanbohacek.online/@stefan/116510604283511719
Go check it out, if you haven't seen it yet!
https://jointhefediverse.net/zine
fedicat@fedicat@pc.cafe boosted:
@dansup@mastodon.social (2026-06-08 23:01:40)
Make platforms easy for everyone, and document them with simple knowledge bases or help centers.
It may be a boring topic, but this is how we go mainstream by making your platforms easy to navigate and understand.
The new Loops Support site will be launching later this week, and Pixelfeds Support site will be launching later next month!
#Support #HelpCenters #Pixelfed #Loops
---Attachments---
image: https://files.mastodon.social/media_attachments/files/116/714/836/110/394/520/original/6ae1c721326764f1.png
image: https://files.mastodon.social/media_attachments/files/116/714/836/676/588/360/original/02b0a1f4b4bfc9f3.png
image: https://files.mastodon.social/media_attachments/files/116/714/836/923/326/047/original/09d53dbc5b430c2c.png
Reply to @hos1miya@misskey.0sakana.xyz
:hosimiya_mion::star_stroke:@hos1miya@misskey.0sakana.xyz (2026-06-09 00:01:15)
1分で中央ほぼ完売www
---Attachments---
image: https://misskey.0sakana.xyz/files/webpublic-40a77ef8-2d61-4fa6-8ed2-9069b9b3c614
Reply to @hos1miya@misskey.0sakana.xyz
:hosimiya_mion::star_stroke:@hos1miya@misskey.0sakana.xyz (2026-06-09 00:00:38)
---Attachments---
image: https://misskey.0sakana.xyz/files/webpublic-0998d1c3-5e35-4029-b00e-8577981e209c
:hosimiya_mion::star_stroke:@hos1miya@misskey.0sakana.xyz (2026-06-09 00:00:24)
はやww
---Attachments---
image: https://misskey.0sakana.xyz/files/webpublic-5e860c88-25e8-4c40-94ac-f49fcc81b88f
fedicat@fedicat@pc.cafe boosted:
@fedify@hollo.social (2026-06-08 23:56:47)
Fedify security updates: 1.9.12, 1.10.11, 2.0.20, 2.1.16, and 2.2.5
If you use Fedify, update to a patched release now. CVE-2026-50131 affects Fedify's public URL validation for remote document and media loading. An attacker could use special-use IP address ranges to bypass Fedify's SSRF protections and cause a Fedify server to initiate requests to non-public or special-use network destinations, depending on the deployment environment and network routing.
Fedify validates remote ActivityPub document and media URLs before fetching them, including direct IP literals and hostnames resolved through DNS. The vulnerable path is validatePublicUrl(): affected versions rejected common private and local addresses, but still treated several special-use IPv4 ranges as public internet destinations. That gap could allow outbound requests to ranges such as carrier-grade NAT, benchmarking, multicast, reserved, and documentation networks.
The fix makes Fedify validate resolved addresses against public-network expectations instead of relying on the incomplete denylist. It rejects additional special-use IPv4 ranges and IPv6 translation or tunneling prefixes, including NAT64, Teredo, and 6to4 addresses, before remote document or media fetching proceeds.
Current patched releases are 1.9.12, 1.10.11, 2.0.20, 2.1.16, and 2.2.5. The GitHub Security Advisory is GHSA-xw9q-2mv6-9fr8, and the CVE ID is CVE-2026-50131.
Update @fedify/fedify:
npm update @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update @fedify/fedify
bun update @fedify/fedify
deno update @fedify/fedify
If your project depends directly on @fedify/vocab-runtime, update that package too.
After updating, redeploy. If you run other Fedify-based servers, update those too.
Thanks to Chaitanya Vilas Garware for the report and responsible disclosure.
If anything is unclear, ask below.
:hosimiya_mion::star_stroke:@hos1miya@misskey.0sakana.xyz (2026-06-08 23:57:34)
とりあえず立川土曜の予約の様子見に行くかぁ
Fedify: ActivityPub server framework@fedify@hollo.social (2026-06-08 23:56:47)
Fedify security updates: 1.9.12, 1.10.11, 2.0.20, 2.1.16, and 2.2.5
If you use Fedify, update to a patched release now. CVE-2026-50131 affects Fedify's public URL validation for remote document and media loading. An attacker could use special-use IP address ranges to bypass Fedify's SSRF protections and cause a Fedify server to initiate requests to non-public or special-use network destinations, depending on the deployment environment and network routing.
Fedify validates remote ActivityPub document and media URLs before fetching them, including direct IP literals and hostnames resolved through DNS. The vulnerable path is validatePublicUrl(): affected versions rejected common private and local addresses, but still treated several special-use IPv4 ranges as public internet destinations. That gap could allow outbound requests to ranges such as carrier-grade NAT, benchmarking, multicast, reserved, and documentation networks.
The fix makes Fedify validate resolved addresses against public-network expectations instead of relying on the incomplete denylist. It rejects additional special-use IPv4 ranges and IPv6 translation or tunneling prefixes, including NAT64, Teredo, and 6to4 addresses, before remote document or media fetching proceeds.
Current patched releases are 1.9.12, 1.10.11, 2.0.20, 2.1.16, and 2.2.5. The GitHub Security Advisory is GHSA-xw9q-2mv6-9fr8, and the CVE ID is CVE-2026-50131.
Update @fedify/fedify:
npm update @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update @fedify/fedify
bun update @fedify/fedify
deno update @fedify/fedify
If your project depends directly on @fedify/vocab-runtime, update that package too.
After updating, redeploy. If you run other Fedify-based servers, update those too.
Thanks to Chaitanya Vilas Garware for the report and responsible disclosure.
If anything is unclear, ask below.
Reply to @hos1miya@misskey.0sakana.xyz
:hosimiya_mion::star_stroke:@hos1miya@misskey.0sakana.xyz (2026-06-08 23:52:59)
水曜はぺんさんいるよ
:hosimiya_mion::star_stroke:@hos1miya@misskey.0sakana.xyz (2026-06-08 23:49:43)
水曜は17時半くらいに川崎終わるからその後エンカくらいは出来ると思う
木曜は微妙かなぁ
どちらにしても観るのは厳しいか…(立川夜の回終わるの23時前だし)
:hosimiya_mion::star_stroke:@hos1miya@misskey.0sakana.xyz (2026-06-08 23:45:07)
ロイさん流石に18までのどこかで空いてたりはしないですよね:ablobcatnodmeltcry:
Reply to @hos1miya@misskey.0sakana.xyz
:hosimiya_mion::star_stroke:@hos1miya@misskey.0sakana.xyz (2026-06-08 23:27:37)
交通面に関しては野田線→総武線→幕張本郷からバスが一番楽なんかね なお時間
:hosimiya_mion::star_stroke:@hos1miya@misskey.0sakana.xyz (2026-06-08 23:25:23)
幕張新都心2.8kもするのか…(今更)
Older Notes