Be notified of new releases
Create your free GitHub account today to subscribe to this repository for new releases and build software alongside 28 million developers.Sign up
Note: This is a release candidate. It is intended to be stable, but not guaranteed.
Affected versions: v2.4.0rc1, v2.4.0rc2 and anyone who updated to the master branch on commit ca42f9b.
What to do (if affected): Rotate secrets contained within
.env.production. Everyone's setup is a bit different so you have to judge for yourself, but especially look out for
(if you still have
PAPERCLIP_SECRETin there, you can just remove it, the code doesn't use it anymore)
If your database server is configured correctly, with a firewall not allowing outside connections, and pg_hba.conf also not allowing outside connections (that is the default), or if you are using docker-compose, which holds the database in an internal network inaccessible from the outside (that is the default), then your database is safe.
If you were performing assets:precompile on machine without
.env.production, then you are not affected by this vulnerability at all, though updating is still advisable.
Special notes on secret rotation:
- Changing the vapid keypair will break existing Web Push API subscriptions (that is, push notifications from the web UI), but this is not a big deal, the web UI can just re-subscribe
SECRET_KEY_BASEwill log everyone out so they'll have to relogin
OTP_SECRETwill break 2FA authentication, you need to perform an extra step to disable 2FA for everyone so they can re-enable it with the new secret later. From
RAILS_ENV=production bundle exec rails console(or docker-compose equivalent), run:
User.update_all(otp_required_for_login: false, encrypted_otp_secret: nil)
Other notes: The vulnerabilty was discovered yesterday (5/14) at 5:30pm (CEST). A patch was merged into master at 5:45pm. At 7:55pm I have gotten in touch with admins of instances I suspected could be affected.
- Limit environment variables exposed to Webpack (#7480)
- Revert index change on statuses for GET /api/v1/accounts/:account_id/statuses (slow query) (#7484)
- Disallow async function in service worker to allow minimizing the JS (#7482)
- Fix account URI not updating when updating ActivityPub account (#7488)
Both Docker and non-Docker:
- This release includes database migrations, that means you need to run
RAILS_ENV=production bundle exec rails db:migrate(in Docker:
docker-compose run --rm web rails db:migrate).
- This release includes changes to assets, that means you need to run
RAILS_ENV=production bundle exec rails assets:precompile(in Docker:
docker-compose run --rm web rails assets:precompile)
Contributors to this release: