Public Service Announcement: Security vulnerability in gemini server software

2022-01-31 | #security | @Acidus

I stumbled on a serious security vulnerability in a widely used gemini server. I am being deliberately vague because I don't want to enable malicious users to exploit the vulnerability until a fix is available.

I was able to contact the developer of the gemini server. They understand the seriousness of the issue and they are working on a fix which they plan to be available in the next week or so.

I did a scan of all known capsules and there are ~50 capsules with this security vulnerability. Once a fixed version has been released I will provide more information about the security issue.

For now, I suggest anyone running their own server:

• Update your gemini server software to the most recent version. This is good advice for software in general. Additionally, if you happen to be using the impacted software, this lets you verify that your capsule is working properly with the latest version. This will allow you to quickly update to the fixed version as soon as it is available.
• Monitor the homepage for the server software your gemini server uses. You will want to update to the fixed version once it is available.
• Watch Antenna/this Gemlog. I'll post more information when a fix is available.

I am confident this issue will be resolved and I believe it can serve as a catalyst to discuss many positive things such as:

• A standardized way to find contact information for the owner of a capsule
• The risks and responsibilities of running public-facing servers
• Best practices for running gemini capsules securely