Lemmy Updated to 0.19.19

We have updated R.NF to Lemmy 0.19.19.

This is a security-focused maintenance release. It does not introduce breaking changes, but it includes several important fixes that are worth applying promptly on public Lemmy instances.

Security Fixes

Lemmy 0.19.19 addresses multiple security issues:

Fixed a rate-limit bypass involving spoofed X-Forwarded-For headers
Fixed user enumeration through login response behavior
Fixed a case where blocked users could still edit private messages sent before the block
Fixed federation handling where a lower-ranked remote moderator could remove higher-ranked moderators
Fixed federated post featuring logic so the community is properly validated and moderation actions are logged
Fixed a stored XSS issue involving markdown image alt text in lemmy-ui HTML embeds

The X-Forwarded-For issue is especially important for instance operators. Lemmy’s default NGINX configuration previously used $proxy_add_x_forwarded_for, which can preserve client-supplied values. The recommended fix is to use $remote_addr so client-provided forwarded headers are overwritten instead of trusted.

Upgrade Notes

There are no breaking changes in this release.

Admins using Lemmy’s Ansible setup should get the NGINX configuration change automatically during upgrade. Other deployments should check their reverse proxy configuration and make sure client-supplied X-Forwarded-For headers cannot be used to bypass rate limits.

For R.NF, this update keeps our Lemmy instance on the latest 0.19 security release and ensures the service remains stable for link-sharing and community discussion.

Full Release Notes

For the official release notes, see:

Summary

R.NF is now running Lemmy 0.19.19.

This update focuses on security and operational correctness, especially around rate limiting, login behavior, moderation over federation, private messages, and safe rendering in the web UI.