Skip to content

@Gargron Gargron released this Aug 22, 2018 · 6 commits to stable-2.4 since this release

Mastodon

⚠️ Vulnerability patch ⚠️
This is a backport release. Please upgrade as soon as possible.

Note: If you were testing the master branch after 2.4.3, this is not an upgrade for you. Simply update to the master branch after commit 802cf6a.

Fixes:

Upgrade Doorkeeper to fix CVE-2018-1000211 (#8197)
This vulnerability, if unpatched, will prevent API access tokens from being properly revoked on revocation.

Fix vulnerability allowing impersonation of remote users (#8372)
This vulnerability, if unpatched, will allow a malicious actor with a local account on an instance to make it look like a remote user posted an arbitrary status and modify profile information as seen from that particular instance (for clarification: it does not affect the real account on its origin instance, rather, it affects how a particular, attacked instance sees that remote account).

Upgrade notes:

Because this is a backport, it is not available with git pull. Use git fetch && git checkout v2.4.4

Non-Docker only:

  • Update dependencies: bundle install (Note: You will see a large post-install message about Doorkeeper. It is addressed to us, not you)

Both Docker and non-Docker:

  • This release includes database migrations, that means you need to run RAILS_ENV=production bundle exec rails db:migrate (in Docker: docker-compose run --rm web rails db:migrate).

Upgrading from earlier versions:

From 2.3.1, 2.3.2, 2.3.3, 2.4.0: Upgrade to 2.4.1 first, then continue to 2.4.4.

2.4.1 and 2.4.2: Upgrade to 2.4.4 straight away.

For each upgrade, you need to run bundle install, yarn install, rails db:migrate and rails assets:precompile (with correct options and invocations as described in documentation applicable to your deployment method)

Contributors to this release:

@Gargron
@ThibG

Assets 2
You can’t perform that action at this time.