![Sharkey - Official Account's avatar](https://cdn.shonk.social/files/1447d637-ec4f-4a22-be62-64358dbbd341.webp)
Sharkey - Official Account
Sharkey project Security Announcement
The recent CVE-2024-29510 vulnerability (Remote Code Execution in Ghostscript) has been found to be exploitable against Sharkey and other Misskey-based software under specific environments. This is not a vulnerability in Sharkey itself, but in an optional dependency that may be installed as a system library. The official Sharkey docker images are not vulnerable, but bare-metal installations may be affected.
An instance may be vulnerable if:
- libgs
and imagemagick
are both installed.
- libgs
is older than 10.02.1
, 10.01.2
, 9.55.0
, or 9.50
.
To check the version of libgs
:
- Execute dpkg -l | grep -P "ii\s+libgs\d"
.
- If no results are found, then libgs
is not installed and not vulnerable.
- If the third column starts with 10.02.1
, 10.01.2
, 9.55.0
, or 9.50
, then libgs
is patched and not vulnerable.
- Otherwise, libgs
is vulnerable.
To patch the vulnerability:
- Update libgs
to the latest available version. The instructions will vary between environments.
#Sharkey #Misskey #FediAdmin #FediAdmins #SecurityAnnouncement