This is a backport release. Please upgrade as soon as possible.
Note: If you were testing the master branch after 2.4.3, this is not an upgrade for you. Simply update to the master branch after commit 802cf6a.
Fix vulnerability allowing impersonation of remote users (#8372)
This vulnerability, if unpatched, will allow a malicious actor with a local account on an instance to make it look like a remote user posted an arbitrary status and modify profile information as seen from that particular instance (for clarification: it does not affect the real account on its origin instance, rather, it affects how a particular, attacked instance sees that remote account).
Because this is a backport, it is not available with
git pull. Use
git fetch && git checkout v2.4.4
- Update dependencies:
bundle install(Note: You will see a large post-install message about Doorkeeper. It is addressed to us, not you)
Both Docker and non-Docker:
- This release includes database migrations, that means you need to run
RAILS_ENV=production bundle exec rails db:migrate(in Docker:
docker-compose run --rm web rails db:migrate).
Upgrading from earlier versions:
From 2.3.1, 2.3.2, 2.3.3, 2.4.0: Upgrade to 2.4.1 first, then continue to 2.4.4.
2.4.1 and 2.4.2: Upgrade to 2.4.4 straight away.
For each upgrade, you need to run
rails assets:precompile(with correct options and invocations as described in documentation applicable to your deployment method)