Hollo 0.7.16 및 0.8.5 保安(보안) 패치를 릴리스했습니다. 相當(상당)히 많은 保安(보안) 脆弱點(취약점)을 한 番(번)에 고치는 패치입니다. 早速(조속)히 업데이트 하시기 바랍니다.

RE: https://hollo.social/@hollo/019e3e2d-bcdc-7256-8a4c-2f3d7c26efa1

@jenniferplusplus thank you for asking this very interested in this! You mention "casual use under linux (fedora/gnome/wayland)"... can you by any chance point me details about the OS you plan to use? I've been assuming I'd use https://www.ubuntu-touch.io/ for something like this, but sounds like you are thinking of using something different?

@Cdespinosa it’s enraging and what’s worse since no one’s stopping him he WILL do it again. And again. And again.

Excellent question (we really miss Andy!) I don't have a good answer for you but I'll post it to the internal "Comms" chat room

Projects – Ecological Building Network

https://ecobuildnetwork.org/projects/

Iron Ore Falls to Two-Week Low on China Steel Demand Concerns
https://www.bloomberg.com/news/articles/2026-05-19/iron-ore-falls-to-two-week-low-on-china-steel-demand-concerns?utm_source=flipboard&utm_medium=activitypub

Posted into Profiles @profiles-bloomberg

Oh wait, I know this band - they do a track called Metaphor I think. That's where I've heard this sound before.

Mountain Shasta

S. Korea Household Lending Accelerates Amid Seoul Housing Rally
https://www.bloomberg.com/news/articles/2026-05-19/s-korea-household-lending-accelerates-amid-seoul-housing-rally?utm_source=flipboard&utm_medium=activitypub

Posted into Business @business-bloomberg

Very cool to have the #Montreal #Canadiens move on to the conference finals. It's magical in Montreal when the Habs are in the playoffs.

@MissConstrue

Feel like their name for the fund should never be used. Instead it should be called the $1.3 Billion Taxpayer Ripoff Fund, or something like that.

Metals Slide as US-Iran Situation Makes Outlook ‘Very Binary’
https://www.bloomberg.com/news/articles/2026-05-19/metals-slide-as-us-iran-situation-makes-outlook-very-binary?utm_source=flipboard&utm_medium=activitypub

Posted into Middle East @middle-east-bloomberg

Allianz’s Zeng on US Rates & Bond Yields
https://www.bloomberg.com/news/videos/2026-05-19/allianz-s-zeng-on-us-rates-bond-yields-video?utm_source=flipboard&utm_medium=activitypub

Posted into Profiles @profiles-bloomberg

The last six months in LLMs in five minutes

https://simonwillison.net/2026/May/19/5-minute-llms/

#HackerNews #LLMs #AI #trends #technews #innovation #quicksummary

Oh baby, THIS is smooth...

https://www.youtube.com/watch?v=Jgkz7sVp7Tw&list=RDJgkz7sVp7Tw&start_radio=1

Hollo security updates: 0.7.16 and 0.8.5

If you run Hollo, update to a patched release now. Hollo 0.7.16 and 0.8.5 fix several security issues in ActivityPub federation, the web admin UI, OAuth, and the transitive fast-xml-parser dependency.

On the federation side, three inbox handlers were missing authorization checks. Any remote actor could send a Delete to remove any cached post by IRI, an Update to overwrite or first-materialize a cached post under another actor's name, or a cross-origin Announce whose attacker-controlled embedded body materialized as someone else's post. The checks now differ by activity type. A Delete is ignored unless the deleter's origin matches the cached post author's origin. An Update is ignored unless the activity actor, the embedded object's id, and its attributedTo all share an origin. For Announce, Hollo no longer trusts attacker-supplied embedded content to create or overwrite the original post: unknown cross-origin objects are fetched from their canonical URL, and any newly cached object must have matching id and attributedTo origins. Separately, Follow, Like, EmojiReact, and Announce from a blocked actor were processed normally and still produced notifications; they are now silently dropped at the inbox.

On the web admin side, login and OTP cookies were set without HttpOnly, SameSite, or Secure, and state-changing forms had no Origin or Sec-Fetch-Site check. A single reflected XSS could exfiltrate the admin session, and a malicious page could submit a hidden cross-site form to disable 2FA, delete an account, or silently authorize a rogue OAuth application. The affected dashboard routes and POST /oauth/authorize now run Hono's CSRF middleware, and the login and OTP cookies now carry those attributes.

The transitive fast-xml-parser (carried in via the AWS SDK that backs S3 storage) is now pinned to patched versions, closing one critical and several high-severity advisories. Hollo also now uses constant-time comparison for the OAuth PKCE check and the multi-credential client-secret consistency check, and it warns at startup when LOG_QUERY=true is set, because drizzle-orm logs bound parameter values, including OAuth tokens and other secrets.

All Hollo versions up to and including 0.7.15 and 0.8.4 are affected. Patched releases are 0.7.16 for the 0.7.x series and 0.8.5 for the 0.8.x series. CHANGES.md has the longer notes, including the availability trade-off for cross-origin Announce validation when the canonical origin is unreachable.

For 0.7.x deployments, update to 0.7.16:

docker pull ghcr.io/fedify-dev/hollo:0.7.16

For 0.8.x deployments, update to 0.8.5:

docker pull ghcr.io/fedify-dev/hollo:0.8.5

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

If anything is unclear, ask below.