Pre-release

@Gargron Gargron released this May 15, 2018 · 886 commits to master since this release

Assets 2

Mastodon

Note: This is a release candidate. It is intended to be stable, but not guaranteed.

⚠️ Vulnerability patch ⚠️

Affected versions: v2.4.0rc1, v2.4.0rc2 and anyone who updated to the master branch on commit ca42f9b. ⭐️ No stable versions affected ⭐️

What to do (if affected): Rotate secrets contained within .env.production. Everyone's setup is a bit different so you have to judge for yourself, but especially look out for

  • SMTP_PASSWORD,
  • AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY,
  • VAPID_PRIVATE_KEY/VAPID_PUBLIC_KEY,
  • DB_PASS,
  • SECRET_KEY_BASE and OTP_SECRET
    (if you still have PAPERCLIP_SECRET in there, you can just remove it, the code doesn't use it anymore)

If your database server is configured correctly, with a firewall not allowing outside connections, and pg_hba.conf also not allowing outside connections (that is the default), or if you are using docker-compose, which holds the database in an internal network inaccessible from the outside (that is the default), then your database is safe.

If you were performing assets:precompile on machine without .env.production, then you are not affected by this vulnerability at all, though updating is still advisable.

Special notes on secret rotation:

  • Changing the vapid keypair will break existing Web Push API subscriptions (that is, push notifications from the web UI), but this is not a big deal, the web UI can just re-subscribe
  • Changing SECRET_KEY_BASE will log everyone out so they'll have to relogin
  • Changing OTP_SECRET will break 2FA authentication, you need to perform an extra step to disable 2FA for everyone so they can re-enable it with the new secret later. From RAILS_ENV=production bundle exec rails console (or docker-compose equivalent), run: User.update_all(otp_required_for_login: false, encrypted_otp_secret: nil)

Other notes: The vulnerabilty was discovered yesterday (5/14) at 5:30pm (CEST). A patch was merged into master at 5:45pm. At 7:55pm I have gotten in touch with admins of instances I suspected could be affected.

Fixes:

  • Limit environment variables exposed to Webpack (#7480)
  • Revert index change on statuses for GET /api/v1/accounts/:account_id/statuses (slow query) (#7484)
  • Disallow async function in service worker to allow minimizing the JS (#7482)
  • Fix account URI not updating when updating ActivityPub account (#7488)

Upgrade notes:

Both Docker and non-Docker:

  • This release includes database migrations, that means you need to run RAILS_ENV=production bundle exec rails db:migrate (in Docker: docker-compose run --rm web rails db:migrate).
  • This release includes changes to assets, that means you need to run RAILS_ENV=production bundle exec rails assets:precompile (in Docker: docker-compose run --rm web rails assets:precompile)

Contributors to this release:

@akihikodaki
@Gargron
@wiktor-k