Fix incorrect connect timeout in outgoing requests #26116
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ClearlyClaire
force-pushed
the
fixes/connect-timeout
branch
from
07d70f4
to
49feb8f
Compare
Gargron
approved these changes
Jul 22, 2023
ronilaukkarinen
added a commit
to ronilaukkarinen/mastodon
that referenced
this pull request
Jul 22, 2023
mgmn
pushed a commit
to mgmn/mastodon-kumarinco
that referenced
this pull request
Jul 23, 2023
ClearlyClaire
added a commit
that referenced
this pull request
Jul 27, 2023
Merged
ClearlyClaire
added a commit
that referenced
this pull request
Jul 28, 2023
Merged
ClearlyClaire
added a commit
to ClearlyClaire/mastodon
that referenced
this pull request
Jul 28, 2023
Merged
ClearlyClaire
added a commit
to glitch-soc/mastodon
that referenced
this pull request
Jul 30, 2023
* Cleanup unused portions of statuses/status partial (mastodon#26045) * Wrong count in response when removing favourite/reblog (mastodon#24365) Co-authored-by: Claire <claire.github-309c@sitedethib.com> * Paperclip: add support for Azure blob storage (mastodon#23607) * Fix a missing redirection on getting-started in multi column mode (mastodon#26070) * Fix haml-lint Rubocop `Style/NumericPredicate` cop (mastodon#26040) * Change casing for 'Server Settings' string (mastodon#26011) * Move localized subject mailer shared example to separate file (mastodon#25889) * Fix haml-lint Rubocop `Lint/UnusedBlockArguments` cop (mastodon#26039) * Fix `Lint/Void` cop (mastodon#25922) * Add stricter protocol fields validation for accounts (mastodon#25937) * Improve the bug report templates (mastodon#25621) * Fix the crossorigin attribute (mastodon#26096) * Fix replica being used even if not explicitly defined (mastodon#26074) * Clean up unused application records (mastodon#24871) * Change thread view to scroll to the selected post rather than the post being replied to (mastodon#24685) * Change default KeyGenerator digest to SHA1 to fix cookies in rolling upgrades (mastodon#26023) * change focus ui for keyboard only input (mastodon#25935) * Use username as display name for suspended users or users with blank display names (mastodon#25276) * Fix CSP headers being unintendedly wide (mastodon#26105) * Fix linting issue (mastodon#26106) * Replace 'favourite' by 'favorite' for American English (mastodon#26009) * Override default Action Mailer `preview_path` (mastodon#26110) * Favourits -> Favorites (mastodon#26109) * Bump version to v4.1.5 (mastodon#26108) * Fix incorrect connect timeout in outgoing requests (mastodon#26116) * Fix missing translation strings for importing lists (mastodon#26120) * Use valid email address for first account (mastodon#26114) * Update haml-lint 0.49.1 (mastodon#26118) * Fix focus and hover styles in web UI (mastodon#26125) * Remove back button from bookmarks, favourites and lists screens in web UI (mastodon#26126) * Remove 16:9 cropping from web UI (mastodon#26132) * Change design of link previews in web UI (mastodon#26136) * change poll form element colors to fit with the rest of the ui (mastodon#26139) * Add `lang` attribute to trending links (mastodon#26111) * Update dependency rdf-normalize to v0.6.1 (mastodon#26130) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update dependency brakeman to v6.0.1 (mastodon#26141) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update dependency postcss to v8.4.27 (mastodon#26144) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Fix unexpected redirection to /explore after sign-in (mastodon#26143) * Update dependency aws-sdk-s3 to v1.131.0 (mastodon#26145) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Add report.updated webhook (mastodon#24211) * Fix LinkCrawlWorker crashing on `null` `created_at` (mastodon#26151) * Fix UI Overlap with the loupe icon in the Explore Tab (mastodon#26113) * Fix missing border on error screen in light theme in web UI (mastodon#26152) * Fix missing action label on sensitive videos and embeds in web UI (mastodon#26135) * Fix `lang` for UI texts in link preview (mastodon#26149) * Add published date and author to news on the explore screen in web UI (mastodon#26155) * Coverage for `Auth::OmniauthCallbacks` controller (mastodon#26147) * fix poll input active style (mastodon#26162) * Add `published_at` attribute to preview cards (mastodon#26153) * Update dependency sass to v1.64.1 (mastodon#26146) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Revert poll colors to green outside of compose form (mastodon#26164) * Preserve translation on status re-import (mastodon#26168) * Fix missing GIF badge in account gallery (mastodon#26166) * Reformat large text arg in `FetchLinkCardService` spec (mastodon#26183) * Ignore long line in regex initializer (mastodon#26182) * Reformat large key values in service specs (mastodon#26181) * Reformat large hash in `ContextHelper` module (mastodon#26180) * Use heredoc SQL blocks in `AddFromAccountIdToNotifications` migration (mastodon#26178) * Extract private methods in `StatusCacheHydrator` (mastodon#26177) * New Crowdin Translations (automated) (mastodon#26072) Co-authored-by: GitHub Actions <noreply@github.com> Co-authored-by: Claire <claire.github-309c@sitedethib.com> * Remove the `sr` locale override .rb files (mastodon#25927) * Use correct naming on controller concern specs (mastodon#26197) * Migrate to request specs in `/api/v2/filters` (mastodon#25721) * Fix wrong filters sometimes applying in streaming (mastodon#26159) * Refactor streaming's filtering logic & improve documentation (mastodon#26213) * Add role badges to the WebUI (mastodon#25649) * Change interaction modal in web UI (mastodon#26075) Co-authored-by: Eugen Rochko <eugen@zeonfederated.com> * Fix crash when processing Flag activity with no status (mastodon#26189) * Storage: add :azure to remaining callers (mastodon#26080) * Remove queued_at value from pubsub payloads (mastodon#26173) * Fix emoji picker button scrolling with textarea content in single-column view (mastodon#25304) * Change the wording of the dismissable explore prompt (mastodon#25917) * Update dependency haml_lint to v0.49.2 (mastodon#26222) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Fix: Streaming server memory leak in HTTP EventSource cleanup (mastodon#26228) * Swap debug statements in streaming server (mastodon#26231) * Fix missing return values in streaming (mastodon#26233) * [Glitch] Wrong count in response when removing favourite/reblog Port 4c18928 to glitch-soc Co-authored-by: Claire <claire.github-309c@sitedethib.com> Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] Fix a missing redirection on getting-started in multi column mode Port 586b1c9 to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] Change thread view to scroll to the selected post rather than the post being replied to Port e4ea80d to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] Replace 'favourite' by 'favorite' for American English Port 217ef7f to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] change poll form element colors to fit with the rest of the ui Port 80809ef to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] Add `lang` attribute to trending links Port 76fce34 to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] Fix UI Overlap with the loupe icon in the Explore Tab Port 9a567ec to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] Fix missing border on error screen in light theme in web UI Port d1a9f60 to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] Fix missing action label on sensitive videos and embeds in web UI Port 714a206 to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] fix poll input active style Port 49d2e89 to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] Revert poll colors to green outside of compose form Port ce1f35d to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] Add published date and author to news on the explore screen in web UI Port f826a95 to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] Preserve translation on status re-import Port 6781dc6 to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] Fix missing GIF badge in account gallery Port a4b69be to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * Fix interaction modal being broken because of glitch-soc's theming system * [Glitch] Change interaction modal in web UI Port b4e739f to glitch-soc Co-authored-by: Eugen Rochko <eugen@zeonfederated.com> Signed-off-by: Claire <claire.github-309c@sitedethib.com> * [Glitch] Change the wording of the dismissable explore prompt Port a4ec187 to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com> * Fix CSP tests in glitch-soc --------- Signed-off-by: Claire <claire.github-309c@sitedethib.com> Co-authored-by: Matt Jankowski <matt@jankowski.online> Co-authored-by: Christian Schmidt <github@chsc.dk> Co-authored-by: Misty De Méo <mistydemeo@gmail.com> Co-authored-by: Stanislas Signoud <signez@stanisoft.net> Co-authored-by: gunchleoc <fios@foramnagaidhlig.net> Co-authored-by: Renaud Chaput <renchap@gmail.com> Co-authored-by: Trevor Wolf <teeerevor@gmail.com> Co-authored-by: наб <nabijaczleweli@nabijaczleweli.xyz> Co-authored-by: mogaminsk <mgmnjp@icloud.com> Co-authored-by: Nick Schonning <nschonni@gmail.com> Co-authored-by: Eugen Rochko <eugen@zeonfederated.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Vyr Cossont <VyrCossont@users.noreply.github.com> Co-authored-by: gol-cha <info@mevo.xyz> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: GitHub Actions <noreply@github.com> Co-authored-by: Daniel M Brasil <danielmbrasil@protonmail.com> Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
ClearlyClaire
added a commit
that referenced
this pull request
Jul 31, 2023
ClearlyClaire
added a commit
that referenced
this pull request
Jul 31, 2023
ClearlyClaire
added a commit
that referenced
this pull request
Jul 31, 2023
nrdufour
added a commit
to nrdufour/home-ops
that referenced
this pull request
Aug 1, 2023
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/mastodon/mastodon](https://github.com/mastodon/mastodon) | patch | `v4.1.2` -> `v4.1.6` | --- ### Release Notes <details> <summary>mastodon/mastodon (ghcr.io/mastodon/mastodon)</summary> ### [`v4.1.6`](https://github.com/mastodon/mastodon/releases/tag/v4.1.6) [Compare Source](mastodon/mastodon@v4.1.5...v4.1.6) <h1><picture> <source media="(prefers-color-scheme: dark)" srcset="./lib/assets/wordmark.dark.png?raw=true"> <source media="(prefers-color-scheme: light)" srcset="./lib/assets/wordmark.light.png?raw=true"> <img alt="Mastodon" src="./lib/assets/wordmark.light.png?raw=true" height="34"> </picture></h1> >⚠️ We recently released critical security updates, so if you are still using 4.1.2 or below, 4.0.4 or below, or 3.5.8 or below, please update as soon as possible (see the release notes for [v4.1.4](https://github.com/mastodon/mastodon/releases/tag/v4.1.4)). #### Upgrade overview ℹ️ Requires streaming API restart For more information, scroll down to the upgrade instructions section. #### Changelog ##### Fixed - Fix memory leak in streaming server ([ThisIsMissEm](mastodon/mastodon#26228)) - Fix wrong filters sometimes applying in streaming ([ClearlyClaire](mastodon/mastodon#26159), [ThisIsMissEm](mastodon/mastodon#26213), [renchap](mastodon/mastodon#26233)) - Fix incorrect connect timeout in outgoing requests ([ClearlyClaire](mastodon/mastodon#26116)) #### Upgrade notes To get the code for v4.1.6, use `git fetch && git checkout v4.1.6`. > As always, **make sure you have backups of the database before performing any upgrades**. If you are using docker-compose, this is how a backup command might look: `docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump` ##### Dependencies External dependencies have not changed compared to v4.1.5, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is: - Ruby: 2.7 to 3.0 - PostgreSQL: 9.5 or newer - Elasticsearch (optional, for full-text search): 7.x - Redis: 4 or newer - Node: >= 14, < 18 - ImageMagick: 6.9.7-7 or newer > If your uploaded images are broken after the upgrade, it means your installed ImageMagick version is older than the new minimum version (6.9.7-7), for example if you are running Ubuntu 18.04. If this happens, you can find more information and ways to fix it [on this page](mastodon/mastodon#25776). ##### Update steps The following instructions are for updating from 4.1.5. If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. **Non-Docker only:** 1. Install dependencies: `bundle install` and `yarn install` **Both Docker and non-Docker:** 1. Restart all Mastodon processes ### [`v4.1.5`](https://github.com/mastodon/mastodon/releases/tag/v4.1.5) [Compare Source](mastodon/mastodon@v4.1.4...v4.1.5) <h1><picture> <source media="(prefers-color-scheme: dark)" srcset="./lib/assets/wordmark.dark.png?raw=true"> <source media="(prefers-color-scheme: light)" srcset="./lib/assets/wordmark.light.png?raw=true"> <img alt="Mastodon" src="./lib/assets/wordmark.light.png?raw=true" height="34"> </picture></h1> >⚠️ We recently released critical security updates, so if you are still using 4.1.2 or below, 4.0.4 or below, or 3.5.8 or below, please update as soon as possible (see the release notes for [v4.1.4](https://github.com/mastodon/mastodon/releases/tag/v4.1.4)). #### Changelog ##### Added - Add check preventing Sidekiq workers from running with Makara configured ([ClearlyClaire](mastodon/mastodon#25850)) ##### Changed - Change request timeout handling to use a longer deadline ([ClearlyClaire](mastodon/mastodon#26055)) ##### Fixed - Fix moderation interface for remote instances with a .zip TLD ([ClearlyClaire](mastodon/mastodon#25885)) - Fix remote accounts being possibly persisted to database with incomplete protocol values ([ClearlyClaire](mastodon/mastodon#25886)) - Fix trending publishers table not rendering correctly on narrow screens ([vmstan](mastodon/mastodon#25945)) ##### Security - Fix CSP headers being unintentionally wide ([ClearlyClaire](mastodon/mastodon#26105)) #### Upgrade notes To get the code for v4.1.5, use `git fetch && git checkout v4.1.5`. > As always, **make sure you have backups of the database before performing any upgrades**. If you are using docker-compose, this is how a backup command might look: `docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump` ##### Dependencies External dependencies have not changed compared to v4.1.4, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is: - Ruby: 2.7 to 3.0 - PostgreSQL: 9.5 or newer - Elasticsearch (optional, for full-text search): 7.x - Redis: 4 or newer - Node: >= 14, < 18 - ImageMagick: 6.9.7-7 or newer > If your uploaded images are broken after the upgrade, it means your installed ImageMagick version is older than the new minimum version (6.9.7-7), for example if you are running Ubuntu 18.04. If this happens, you can find more information and ways to fix it [on this page](mastodon/mastodon#25776). ##### Update steps The following instructions are for updating from 4.1.4. If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. **Non-Docker only:** 1. Install dependencies: `bundle install` and `yarn install` **Both Docker and non-Docker:** 1. Restart all Mastodon processes ### [`v4.1.4`](https://github.com/mastodon/mastodon/releases/tag/v4.1.4) [Compare Source](mastodon/mastodon@v4.1.3...v4.1.4) <h1><picture> <source media="(prefers-color-scheme: dark)" srcset="./lib/assets/wordmark.dark.png?raw=true"> <source media="(prefers-color-scheme: light)" srcset="./lib/assets/wordmark.light.png?raw=true"> <img alt="Mastodon" src="./lib/assets/wordmark.light.png?raw=true" height="34"> </picture></h1> > This release addresses a few issues that were missed in the last security update and includes changelogs for both updates. > >⚠️ It is a follow-up to the important 4.1.3 security release fixing multiple **critical security issues** (CVE-2023-36460, CVE-2023-36459). > > Corresponding security releases are available for the [4.0.x branch](https://github.com/mastodon/mastodon/releases/tag/v4.0.6) and the [3.5.x branch](https://github.com/mastodon/mastodon/releases/tag/v3.5.10). > If you are using nightly builds, **do not use this release** but update to `nightly-2023-07-07-v4.1.4` or newer instead. If you are on the `main` branch, update to the latest commit. #### Upgrade overview This release contains upgrade notes that deviate from the norm: ℹ️ Requires streaming API restart ℹ️ There are suggested reverse proxy configuration changes :warning: The minimal supported ImageMagick version has been bumped to 6.9.7-7 For more information, scroll down to the upgrade instructions section. #### Changelog (v4.1.4) ##### Fixed - Fix branding:generate_app_icons failing because of disallowed ICO coder ([ClearlyClaire](mastodon/mastodon#25794)) - Fix crash in admin interface when viewing a remote user with verified links ([ClearlyClaire](mastodon/mastodon#25796)) - Fix processing of media files with unusual names ([ClearlyClaire](mastodon/mastodon#25788)) #### Changelog (v4.1.3) ##### Added - Add fallback redirection when getting a webfinger query `LOCAL_DOMAIN@LOCAL_DOMAIN` ([ClearlyClaire](mastodon/mastodon#23600)) ##### Changed - Change OpenGraph-based embeds to allow fullscreen ([ClearlyClaire](mastodon/mastodon#25058)) - Change AccessTokensVacuum to also delete expired tokens ([ClearlyClaire](mastodon/mastodon#24868)) - Change profile updates to be sent to recently-mentioned servers ([ClearlyClaire](mastodon/mastodon#24852)) - Change automatic post deletion thresholds and load detection ([ClearlyClaire](mastodon/mastodon#24614)) - Change `/api/v1/statuses/:id/history` to always return at least one item ([ClearlyClaire](mastodon/mastodon#25510)) - Change auto-linking to allow carets in URL query params ([renchap](mastodon/mastodon#25216)) ##### Removed - Remove invalid `X-Frame-Options: ALLOWALL` ([ClearlyClaire](mastodon/mastodon#25070)) ##### Fixed - Fix wrong view being displayed when a webhook fails validation ([ClearlyClaire](mastodon/mastodon#25464)) - Fix soft-deleted post cleanup scheduler overwhelming the streaming server ([ThisIsMissEm](mastodon/mastodon#25519)) - Fix incorrect pagination headers in `/api/v2/admin/accounts` ([danielmbrasil](mastodon/mastodon#25477)) - Fix multiple inefficiencies in automatic post cleanup worker ([ClearlyClaire](mastodon/mastodon#24607), [ClearlyClaire](mastodon/mastodon#24785), [ClearlyClaire](mastodon/mastodon#24840)) - Fix performance of streaming by parsing message JSON once ([ThisIsMissEm](mastodon/mastodon#25278), [ThisIsMissEm](mastodon/mastodon#25361)) - Fix CSP headers when `S3_ALIAS_HOST` includes a path component ([ClearlyClaire](mastodon/mastodon#25273)) - Fix `tootctl accounts approve --number N` not aproving N earliest registrations ([danielmbrasil](mastodon/mastodon#24605)) - Fix reports not being closed when performing batch suspensions ([ClearlyClaire](mastodon/mastodon#24988)) - Fix being able to vote on your own polls ([ClearlyClaire](mastodon/mastodon#25015)) - Fix race condition when reblogging a status ([ClearlyClaire](mastodon/mastodon#25016)) - Fix “Authorized applications” inefficiently and incorrectly getting last use date ([ClearlyClaire](mastodon/mastodon#25060)) - Fix “Authorized applications” crashing when listing apps with certain admin API scopes ([ClearlyClaire](mastodon/mastodon#25713)) - Fix multiple N+1s in ConversationsController ([ClearlyClaire](mastodon/mastodon#25134), [ClearlyClaire](mastodon/mastodon#25399), [ClearlyClaire](mastodon/mastodon#25499)) - Fix user archive takeouts when using OpenStack Swift ([ClearlyClaire](mastodon/mastodon#24431)) - Fix searching for remote content by URL not working under certain conditions ([ClearlyClaire](mastodon/mastodon#25637)) - Fix inefficiencies in indexing content for search ([VyrCossont](mastodon/mastodon#24285), [VyrCossont](mastodon/mastodon#24342)) ##### Security - Add finer permission requirements for managing webhooks ([ClearlyClaire](mastodon/mastodon#25463)) - Update dependencies - Add hardening headers for user-uploaded files ([ClearlyClaire](mastodon/mastodon#25756)) - Fix verified links possibly hiding important parts of the URL (CVE-2023-36462) - Fix timeout handling of outbound HTTP requests (CVE-2023-36461) - Fix arbitrary file creation through media processing (CVE-2023-36460) - Fix possible XSS in preview cards (CVE-2023-36459) #### Upgrade notes To get the code for v4.1.4, use `git fetch && git checkout v4.1.4`. > As always, **make sure you have backups of the database before performing any upgrades**. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db\_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump ##### Dependencies Apart from ImageMagick, external dependencies have not changed compared to v4.1.2, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is: - Ruby: 2.7 to 3.0 - PostgreSQL: 9.5 or newer - Elasticsearch (optional, for full-text search): 7.x - Redis: 4 or newer - Node: >= 14, < 18 - ImageMagick: 6.9.7-7 or newer If your uploaded images are broken after the upgrade, it means your installed ImageMagick version is older than the new minimum version (6.9.7-7), for example if you are running Ubuntu 18.04. If this happens, you can find more informations and ways to fix it [on this page](mastodon/mastodon#25776). ##### Update steps The following instructions are for updating from 4.1.2. If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. **Non-Docker only:** 1. Install dependencies: `bundle install` and `yarn install` **Both Docker and non-Docker:** ℹ️ The recommended configuration for reverse proxies has been updated. Unlike updating Mastodon itself, this is not urgent, but hardening. The change is about setting `Content-Security-Policy: default-src 'none'; form-action 'none'` and `X-Content-Type-Options: nosniff` on assets. Check `dist/nginx.conf` for more information, and [the documentation](https://docs.joinmastodon.org/admin/optional/object-storage-proxy/) if you are proxying external object storage. 1. Restart all Mastodon processes ### [`v4.1.3`](https://github.com/mastodon/mastodon/releases/tag/v4.1.3) [Compare Source](mastodon/mastodon@v4.1.2...v4.1.3) <h1><picture> <source media="(prefers-color-scheme: dark)" srcset="./lib/assets/wordmark.dark.png?raw=true"> <source media="(prefers-color-scheme: light)" srcset="./lib/assets/wordmark.light.png?raw=true"> <img alt="Mastodon" src="./lib/assets/wordmark.light.png?raw=true" height="34"> </picture></h1> >⚠️ This release is an important security release fixing multiple **critical security issues** (CVE-2023-36460, CVE-2023-36459). > > Corresponding security releases are available for the [4.0.x branch](https://github.com/mastodon/mastodon/releases/tag/v4.0.5) and the [3.5.x branch](https://github.com/mastodon/mastodon/releases/tag/v3.5.9). > If you are using nightly builds, **do not use this release** but update to `nightly-2023-07-06-security` or newer instead. If you are on the `main` branch, update to the latest commit. #### Upgrade overview This release contains upgrade notes that deviate from the norm: ℹ️ Requires streaming API restart ℹ️ There are suggested reverse proxy configuration changes :warning: The minimal supported ImageMagick version has been bumped to 6.9.7-7 For more information, scroll down to the upgrade instructions section. #### Changelog ##### Added - Add fallback redirection when getting a webfinger query `LOCAL_DOMAIN@LOCAL_DOMAIN` ([ClearlyClaire](mastodon/mastodon#23600)) ##### Changed - Change OpenGraph-based embeds to allow fullscreen ([ClearlyClaire](mastodon/mastodon#25058)) - Change AccessTokensVacuum to also delete expired tokens ([ClearlyClaire](mastodon/mastodon#24868)) - Change profile updates to be sent to recently-mentioned servers ([ClearlyClaire](mastodon/mastodon#24852)) - Change automatic post deletion thresholds and load detection ([ClearlyClaire](mastodon/mastodon#24614)) - Change `/api/v1/statuses/:id/history` to always return at least one item ([ClearlyClaire](mastodon/mastodon#25510)) - Change auto-linking to allow carets in URL query params ([renchap](mastodon/mastodon#25216)) ##### Removed - Remove invalid `X-Frame-Options: ALLOWALL` ([ClearlyClaire](mastodon/mastodon#25070)) ##### Fixed - Fix wrong view being displayed when a webhook fails validation ([ClearlyClaire](mastodon/mastodon#25464)) - Fix soft-deleted post cleanup scheduler overwhelming the streaming server ([ThisIsMissEm](mastodon/mastodon#25519)) - Fix incorrect pagination headers in `/api/v2/admin/accounts` ([danielmbrasil](mastodon/mastodon#25477)) - Fix multiple inefficiencies in automatic post cleanup worker ([ClearlyClaire](mastodon/mastodon#24607), [ClearlyClaire](mastodon/mastodon#24785), [ClearlyClaire](mastodon/mastodon#24840)) - Fix performance of streaming by parsing message JSON once ([ThisIsMissEm](mastodon/mastodon#25278), [ThisIsMissEm](mastodon/mastodon#25361)) - Fix CSP headers when `S3_ALIAS_HOST` includes a path component ([ClearlyClaire](mastodon/mastodon#25273)) - Fix `tootctl accounts approve --number N` not aproving N earliest registrations ([danielmbrasil](mastodon/mastodon#24605)) - Fix reports not being closed when performing batch suspensions ([ClearlyClaire](mastodon/mastodon#24988)) - Fix being able to vote on your own polls ([ClearlyClaire](mastodon/mastodon#25015)) - Fix race condition when reblogging a status ([ClearlyClaire](mastodon/mastodon#25016)) - Fix “Authorized applications” inefficiently and incorrectly getting last use date ([ClearlyClaire](mastodon/mastodon#25060)) - Fix “Authorized applications” crashing when listing apps with certain admin API scopes ([ClearlyClaire](mastodon/mastodon#25713)) - Fix multiple N+1s in ConversationsController ([ClearlyClaire](mastodon/mastodon#25134), [ClearlyClaire](mastodon/mastodon#25399), [ClearlyClaire](mastodon/mastodon#25499)) - Fix user archive takeouts when using OpenStack Swift ([ClearlyClaire](mastodon/mastodon#24431)) - Fix searching for remote content by URL not working under certain conditions ([ClearlyClaire](mastodon/mastodon#25637)) - Fix inefficiencies in indexing content for search ([VyrCossont](mastodon/mastodon#24285), [VyrCossont](mastodon/mastodon#24342)) ##### Security - Add finer permission requirements for managing webhooks ([ClearlyClaire](mastodon/mastodon#25463)) - Update dependencies - Add hardening headers for user-uploaded files ([ClearlyClaire](mastodon/mastodon#25756)) - Fix verified links possibly hiding important parts of the URL (CVE-2023-36462) - Fix timeout handling of outbound HTTP requests (CVE-2023-36461) - Fix arbitrary file creation through media processing (CVE-2023-36460) - Fix possible XSS in preview cards (CVE-2023-36459) #### Upgrade notes To get the code for v4.1.3, use `git fetch && git checkout v4.1.3`. > As always, **make sure you have backups of the database before performing any upgrades**. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db\_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump ##### Dependencies Apart from ImageMagick, external dependencies have not changed compared to v4.1.2, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is: - Ruby: 2.7 to 3.0 - PostgreSQL: 9.5 or newer - Elasticsearch (optional, for full-text search): 7.x - Redis: 4 or newer - Node: >= 14, < 18 - ImageMagick: 6.9.7-7 or newer If your uploaded images are broken after the upgrade, it means your installed ImageMagick version is older than the new minimum version (6.9.7-7), for example if you are running Ubuntu 18.04. If this happens, you can find more informations and ways to fix it [on this page](mastodon/mastodon#25776). ##### Update steps The following instructions are for updating from 4.1.2. If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. **Non-Docker only:** 1. Install dependencies: `bundle install` and `yarn install` **Both Docker and non-Docker:** ℹ️ The recommended configuration for reverse proxies has been updated. Unlike updating Mastodon itself, this is not urgent, but hardening. The change is about setting `Content-Security-Policy: default-src 'none'; form-action 'none'` and `X-Content-Type-Options: nosniff` on assets. Check `dist/nginx.conf` for more information, and [the documentation](https://docs.joinmastodon.org/admin/optional/object-storage-proxy/) if you are proxying external object storage. 1. Restart all Mastodon processes </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4yMy4yIiwidXBkYXRlZEluVmVyIjoiMzYuMjMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Reviewed-on: https://git.home/nrdufour/home-ops/pulls/17 Co-authored-by: Renovate <renovate@ptinem.io> Co-committed-by: Renovate <renovate@ptinem.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #26115
Fix issue introduced by #26055