Hollo security updates: 0.7.15 and 0.8.3

If you run Hollo, update to a patched release now. A private network protection bypass in Fedify, the ActivityPub framework Hollo depends on, affects remote document loading. URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals, such as http://[::ffff:7f00:1]/, could pass URL validation even though they refer to private or loopback addresses.

Hollo uses Fedify to fetch remote ActivityPub documents and related resources. An attacker who can make your Hollo instance fetch an attacker-controlled URL may be able to bypass the private address checks that are intended to reduce SSRF (Server-Side Request Forgery) risk.

All Hollo versions up to and including 0.7.14 and 0.8.2 are affected. Patched releases are 0.7.15 for the 0.7.x series and 0.8.3 for the 0.8.x series. For full technical details of the underlying vulnerability, see the Fedify security announcement.

For 0.7.x deployments, update to 0.7.15:

docker pull ghcr.io/fedify-dev/hollo:0.7.15

For 0.8.x deployments, update to 0.8.3:

docker pull ghcr.io/fedify-dev/hollo:0.8.3

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

Thanks to Changkyun Kim (@me) for the report and responsible disclosure to the Fedify project.

If anything is unclear, ask below.