This release fixes a security vulnerability which allows an attacker to delete images uploaded by other users. You can read the details in the security advisory. Thanks to @Nothing4You for discovering and fixing it.
An improper uploaded media ownership check can result in inadvertent deletion of media when a user is banned with content removal or purged. This can lead to deletion of media that was not uploaded by the banned/purged user. This also applies to purged communities, in which case all media posted in that community will get deleted without proper ownership check. This is limited to media with an image/* content-type returned by pict-rs.
In addition to the fun changelog:
https://join-lemmy.org/news/2025-04-08_-_Lemmy_Release_v0.19.11
I messaged @[email protected] on matrix about this a while back already, before it was published. this is easily backported to 0.19.8, most likely even with the custom blahaj patches. i’m not sure it was applied though, as i didn’t hear back from her unfortunately.
