Here's the list of user-facing changes from the release notes:

• We enhanced security so that after a user changes their password or 2FA, all the current sessions of that user will be invalid and the user will need to log in again.

• A new combined front page. You could make the combined front page the default in your profile settings. Which means you see both threads and microblogs combined on the homepage.

• We also introduced a new feature under general settings, where you can select "Who can send you a direct message" (defaults to everybody).

• We added support for magazine banners in Mbin (which is also compatible with Lemmy Communities).

• Mbin combines the thread form into just one form (instead of having article, link, and photo having a separate form). Mbin now also federates bans correctly (both incoming and outgoing bans).

• Global mods can now manage (view, approve and/or deny) account signups. Global mods can now also receive signup notifications, which will also come with a new menu item in the drop-down menu.

• Plus various other bug fixes and CSS layout improvements, ban notification fixes, and too many other fixes to mention here.

Hey all, Hoping to find someone who's been in a similar boat and was able to solve this. I am consistently getting a 500 Internal Server Error, but only when visiting /all on mobile (including the mobile "app"). I tried logging out and back in again. When I am logged out, /all works fine, but when I log back in I get the 500 error again.

Ideas?

Title. A story from maga.place showed up on my feed. Thank you.

Sorry that kbin.earth has been down today. Apparently, several people had issues yesterday, but I hadn't realized the full extent due to Matrix severely delaying my notifications.

The server unfortunately crashed while I was unavailable for the day, so I wasn't aware of the issue and couldn't fix it till I got back.

As an aside and general note for everyone, I don't intend on ever shutting down kbin.earth without notice. I also don't intend on completely disappearing either; I don't want people needing to wonder if something happened to me. If I plan to shut down kbin.earth (which I don't btw), I will give as much warning in advance as I can. (I'm not going to be a repeat of kbin.run)

Today only occurred due to an unfortunate combination of technology issues (my failure to receive Matrix notifications and the server crashing) and unavailability.

Again, sorry for the inconvenience. Best regards.

Sorry guys, but the spam users are getting out of hand. I've had multiple users (probably the same person) register for accounts and post digital art (in multiple communities) that sexualizes children, which I do not condone at all. Of course, they had to go and ruin it for any genuine person who wants to register.

Let me take a moment to restate the rules (which are always listed on the about page). They are simply: be respectful, no spam or advertisements, and no pornography or explicit content. Hopefully, it's implied that any content that could even be mistaken for CSAM is prohibited. If you have any questions or concerns about the rules, don't hesitate to reach out.

That being said, the only difference with registration is that you now have to fill out a text field explaining why you want to join the server, and then you have to wait for manual approval by an admin.

Since manual approval is now required, I am looking for a third admin who thinks they could help out, as I am not available all the time. Ideally someone who has already been using kbin.earth for a while and is decently active.

I see a new spam account among the new users section, but I don't see a way to report their profile? They don't have any comments, threads, or posts yet so I can't use the report functions there. Any ideas?

Hey all, I have been having problems getting offsite images to load via the image markup in comments. I see other Fediverse instances allow users to upload images directly, is that a feature that is active on KBin.Earth? If so how do I use it? I'm mainly using Interstellar as my client.

Thanks!

ClientException: Request failed with status 400: Bad Request: ("type":"https:VV tools.ietf.org/htmlV rfc2616#section-10","title":"An error occurred","status":400,"detail":"Bad Request"), uri=https://kbin.earth/api/ magazine/1/posts

Any hints what's up? Is my post too long?

Crossposted from https://gehirneimer.de/m/updates@kbin.melroy.org/t/766866/Mbin-security-disclosure

As most of the servers listed on the fediverse.observer and fedidb are not at v1.8.3 anymore, we need to talk about the security patch we released as part of v1.8.4. We have tried to get in touch with the remaining instance admins and gave them a week to update their instances.

In v1.8.3 a bug was introduced that caused a significant information leak on the user outbox endpoint, reachable through https://mbin.instance/u/username/outbox. This endpoint contains all public activities of a user. On servers running v1.8.3. this endpoint did not return JSON in an ActivityPub compatible format, but just serialized data. This serialized data contained nearly every bit of data Mbin has about a user: the IP, the email address, the private key to sign activities from this user, securely hashed passwords, 2FA secret and backup codes, etc. We think it is unlikely that someone made use of this, as this endpoint is not commonly used. Other ActivityPub software of course uses this endpoint to fetch data, but if that data is not in a compatible format it just ignores it.

We are very sorry about this and honestly very frustrated that it slipped by.

What can users do

The only thing you can really do is to change your password and two factor authentication (disable and re-enable it).

What can admins do

You could check your access logs for any requests on this endpoint not coming from a known fediverse software to research your instance specific instance.

What did we do / What are we going to do

To prevent this from happening again we introduced automated tests on that endpoint and will do so on similar new endpoints (like a magazine outbox) in the future.

We will also add a new command next release to generate new private keys for all users to prevent impersonation. However that might cause rejected activities for up to 24 hours. Every software we checked updates remote users at least every 24 hours including re-fetching the private key.

I am on a short break while driving, so I won't be able to reply. Somehow I am getting notifications like replies to comments, in threads and magazines where those notifications are off, I haven't participated. This started sometime in the wee hours Eastern USA time zone.

Thank you for your thread @green_copper, I have been looking into the issue and figured out one of the commits recently pushed to Mbin was borked (which I had updated to yesterday). I've reverted the commit and that seems to have fixed things.

The server is now working at max capacity to catch back up on federation, but it could take over a few hours, as the queue had over a million messages built up.

Thanks!

Exactly the title. I was considering setting up a PieFed server since that seems to be all the rage, and I thought I'd ask if y'all would have any interest in that.

It would be run with exactly the same polices as kbin.earth is run: lite defederation, be respectful, no spam, and no porn.

To add some info, PieFed doesn't have microblog capabilities yet, but it does have quite a lot of features that Mbin does not have, such as Feeds (combined community views), and the moderation/administration tools seem to be off the scale (in a good way).

I will admit, PieFed's API is nowhere near as mature as Mbin's, and definitely not Lemmy's, because that's just not what the PieFed developers are focusing on. Interstellar does provide PieFed support though.

Over the past week, I've seen the network traffic more than double from the usual amount, which has caused major noticeable slowdowns here. The total network bandwidth has gone from ~25GB on May 10th to ~58GB today.

I'm currently investigating the cause of the spike, but have not found anything yet. I can only assume it's from some form of DDOS attack.

In the meantime, I have temporarily doubled our server resources to account for the increased strain, which will hopefully reduce the number of slowdowns everybody's encountering. I'm hoping that sometime in the next few days, I will be able to figure out the root cause of the issue so we can get things back to normal.

Thank you for your patience.

Hello, thanks so much for this instance. Twice from two different instances now, I can see and reply to posts, then not see other comments or my own replies in the thread shown to me unless someone directly replies to me, or I visit the original URL.

lemm.ee and Lemmy.ca

Thank you all for your patience, and sorry for the huge downtime. I think it ended up being down about 40 minutes or so.

Luckily, I was able to get kbin.earth migrated over to the new Mbin Docker setup! This new setup means the Docker is now officially supported by Mbin, whereas it wasn't really recommended before.

And this new Docker setup was actually made in-house by ... me! I guess I'm officially an Mbin contributor now :)

Anyway, the other big thing I accomplished was upgrading the Postgres major version from 13 to 17 (the latest), which is quite a big jump! Actually, this database upgrade was really what took so long; the migration could have been done in ~5 minutes otherwise.

As always, let me know if you notice any peculiarities or issues caused by this migration.

...

JK, but happy April 1st to everybody!

It brings an extensive bookmarking system, signup request support, signup notifications, extended markdown rendering, custom notification settings to set magazines, users, threads and microblogs to default, loud or muted, setting a default sort for the front page and comment lists, a new image delete command for admins and documentation changes.

See this thread for a detailed review of the update: https://gehirneimer.de/m/mbinReleases/t/486586

As a reminder, if you'd like to help support the kbin.earth instance financially, there are a few donation links in the about page.

Also, for those who use Interstellar, expect an update sometime soon that will utilize some of these new features. Unfortunately, there is a bug in the Mbin API that will not let me add custom notification settings controls quite yet to Interstellar, but bookmarking in the app will be supported.

Recently, I've noticed federated threads/comments/votes were lagging behind, and it turns out kbin.earth was being spammed (hundreds in a minute, leading to a couple thousand queued messages after only half an hour) by a Lemmy server with the same exact activity pub message. After blocking the server (feddit.de), federation should now work correctly. If the admins of the server ever fix the issue, I'll be glad to unblock it.

Edit: turns out, this was probably actually a kbin issue, but at least it's fixed the issues temporarily.