Headline
CVE-2023-36461: Release v3.5.9 · mastodon/mastodon
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
⚠️ This release is an important security release fixing multiple critical security issues (CVE-2023-36460, CVE-2023-36459).
Corresponding security releases are available for the 4.1.x branch and the 4.0.x branch.
If you are using nightly builds, do not use this release but update to nightly-2023-07-06-security or newer instead. If you are on the main branch, update to the latest commit.
Upgrade overview
This release contains upgrade notes that deviate from the norm:
ℹ️ Requires streaming API restart
ℹ️ There are suggested reverse proxy configuration changes
⚠️ The minimal supported ImageMagick version has been bumped to 6.9.7-7
For more information, scroll down to the upgrade instructions section.
Changelog****Changed
- Change OpenGraph-based embeds to allow fullscreen (ClearlyClaire)
- Change profile updates to be sent to recently-mentioned servers (ClearlyClaire)
- Change auto-linking to allow carets in URL query params (renchap)
Removed
- Remove invalid X-Frame-Options: ALLOWALL (ClearlyClaire)
Fixed
- Fix soft-deleted post cleanup scheduler overwhelming the streaming server (ThisIsMissEm)
- Fix incorrect pagination headers in /api/v2/admin/accounts (danielmbrasil)
- Fix performance of streaming by parsing message JSON once (ThisIsMissEm, ThisIsMissEm)
- Fix CSP headers when S3_ALIAS_HOST includes a path component (ClearlyClaire)
- Fix tootctl accounts approve --number N not aproving N earliest registrations (danielmbrasil)
- Fix being able to vote on your own polls (ClearlyClaire)
- Fix race condition when reblogging a status (ClearlyClaire)
- Fix “Authorized applications” inefficiently and incorrectly getting last use date (ClearlyClaire)
- Fix multiple N+1s in ConversationsController (ClearlyClaire, ClearlyClaire, ClearlyClaire)
- Fix user archive takeouts when using OpenStack Swift (ClearlyClaire)
- Fix inefficiencies in indexing content for search (VyrCossont, VyrCossont)
Security
- Update dependencies
- Add hardening headers for user-uploaded files (ClearlyClaire)
- Fix verified links possibly hiding important parts of the URL (CVE-2023-36462)
- Fix timeout handling of outbound HTTP requests (CVE-2023-36461)
- Fix arbitrary file creation through media processing (CVE-2023-36460)
- Fix possible XSS in preview cards (CVE-2023-36459)
Upgrade notes
To get the code for v3.5.9, use git fetch && git checkout v3.5.9.
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
Apart from ImageMagick, external dependencies have not changed compared to v3.5.8, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 2.7 to 3.0
- PostgreSQL: 9.5 or newer
- Elasticsearch (optional, for full-text search): 7.x
- Redis: 4 or newer
- Node: >= 12.22, < 18
- ImageMagick: 6.9.7-7 or newer
Update steps
The following instructions are for updating from 3.5.8.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
- Install dependencies: bundle install and yarn install
Both Docker and non-Docker:
ℹ️ The recommended configuration for reverse proxies has been updated. Unlike updating Mastodon itself, this is not urgent, but hardening. The change is about setting Content-Security-Policy: default-src 'none’; form-action ‘none’ and X-Content-Type-Options: nosniff on assets. Check dist/nginx.conf for more information, and the documentation if you are proxying external object storage.
- Restart all Mastodon processes
Related news
The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account. "Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account," the maintainers said in a terse advisory. The vulnerability, tracked as CVE-2024-23832, has a severity rating of 9.4 out of
Categories: Personal Tags: tootroot Tags: mastodon Tags: server Tags: patch Tags: update Tags: CVE Tags: flaw Tags: vulnerability Tags: social media Tags: network Tags: networking We take a look at a collection of issues (now patched) which were affecting Mastodon servers. It's time to apply the fix for TootRoot. (Read more...) The post "TootRoot" Mastodon vulnerabilities fixed: Admins, patch now! appeared first on Malwarebytes Labs.
Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks. Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances. The most critical vulnerability, CVE-2023-36460,
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.