This version again includes a couple of security fixes. Thanks to the people who found and reported them!

The first one in particular requires manual action from instance admins. Lemmy’s default Nginx config uses $proxy_add_x_forwarded_for to set the X-Forwarded-For header, which does not override existing values. So clients can spoof the IP and bypass rate limits. The solution is to use $remote_addr instead. If you use Ansible this will be changed automatically during the upgrade, otherwise you will need to do it manually. If you dont use Nginx, ensure that any X-Forwarded-For headers sent by the client are overwritten.

The remaining security vulnerabilities are in the Lemmy code itself, and will be fixed simply by upgrading.

Security:

• Rate limit bypass via X-Forwarded-For header spoofing in actix-web ConnectionInfo
• Login Endpoint User Enumeration via HTTP Response Code and Timing
• Blocked users can edit private messages sent before the block
• Lower-ranked federated moderator can remove higher-ranked moderators via federation
• Featuring post over federation does not validate community nor write modlog
• Stored XSS via markdown image alt-text in lemmy-ui html5-embed##