diff --git a/Dockerfile b/Dockerfile
index 310d18104..72c227b76 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -49,7 +49,7 @@ USER pleroma
 
 COPY --from=build --chown=pleroma:0 /release ${HOME}
 
-COPY ./config/docker.exs /etc/pleroma/config.exs
+COPY --chown=pleroma --chmod=640 ./config/docker.exs /etc/pleroma/config.exs
 COPY ./docker-entrypoint.sh ${HOME}
 
 EXPOSE 4000
diff --git a/changelog.d/3879.fix b/changelog.d/3879.fix
new file mode 100644
index 000000000..7c58cc3c2
--- /dev/null
+++ b/changelog.d/3879.fix
@@ -0,0 +1 @@
+fix not being able to fetch flash file from remote instance
\ No newline at end of file
diff --git a/changelog.d/disable-xml-entity-resolution.security b/changelog.d/disable-xml-entity-resolution.security
new file mode 100644
index 000000000..db8e12f67
--- /dev/null
+++ b/changelog.d/disable-xml-entity-resolution.security
@@ -0,0 +1 @@
+Disable XML entity resolution completely to fix a dos vulnerability
diff --git a/changelog.d/dockerfile-config-perms.fix b/changelog.d/dockerfile-config-perms.fix
new file mode 100644
index 000000000..49ea5becb
--- /dev/null
+++ b/changelog.d/dockerfile-config-perms.fix
@@ -0,0 +1 @@
+- Fix config ownership in dockerfile to pass restriction test
diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex
index 34895c8d5..a3166bc96 100644
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -93,18 +93,26 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
 
     img_src = "img-src 'self' data: blob:"
     media_src = "media-src 'self'"
+    connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
 
     # Strict multimedia CSP enforcement only when MediaProxy is enabled
-    {img_src, media_src} =
+    {img_src, media_src, connect_src} =
       if Config.get([:media_proxy, :enabled]) &&
            !Config.get([:media_proxy, :proxy_opts, :redirect_on_failure]) do
         sources = build_csp_multimedia_source_list()
-        {[img_src, sources], [media_src, sources]}
+        {
+          [img_src, sources],
+          [media_src, sources],
+          [connect_src, sources]
+        }
       else
-        {[img_src, " https:"], [media_src, " https:"]}
+        {
+          [img_src, " https:"],
+          [media_src, " https:"],
+          [connect_src, " https:"]
+        }
       end
 
-    connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
 
     connect_src =
       if Config.get(:env) == :dev do
diff --git a/lib/pleroma/web/xml.ex b/lib/pleroma/web/xml.ex
index 380a80ab8..64329e4ba 100644
--- a/lib/pleroma/web/xml.ex
+++ b/lib/pleroma/web/xml.ex
@@ -31,7 +31,7 @@ defmodule Pleroma.Web.XML do
         |> :binary.bin_to_list()
         |> :xmerl_scan.string(
           quiet: true,
-          fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end
+          allow_entities: false
         )
 
       {:ok, doc}
diff --git a/test/fixtures/xml_billion_laughs.xml b/test/fixtures/xml_billion_laughs.xml
new file mode 100644
index 000000000..75fb24cae
--- /dev/null
+++ b/test/fixtures/xml_billion_laughs.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0"?>
+<!DOCTYPE lolz [
+ <!ENTITY lol "lol">
+ <!ELEMENT lolz (#PCDATA)>
+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
+ <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
+ <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
+ <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
+ <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
+ <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
+ <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
+ <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
+ <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
+]>
+<lolz>&lol9;</lolz>
diff --git a/test/pleroma/web/xml_test.exs b/test/pleroma/web/xml_test.exs
index 89d4709b6..49306430b 100644
--- a/test/pleroma/web/xml_test.exs
+++ b/test/pleroma/web/xml_test.exs
@@ -3,6 +3,11 @@ defmodule Pleroma.Web.XMLTest do
 
   alias Pleroma.Web.XML
 
+  test "refuses to parse any entities from XML" do
+    data = File.read!("test/fixtures/xml_billion_laughs.xml")
+    assert(:error == XML.parse_document(data))
+  end
+
   test "refuses to load external entities from XML" do
     data = File.read!("test/fixtures/xml_external_entities.xml")
     assert(:error == XML.parse_document(data))