Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36461: Release v3.5.9 · mastodon/mastodon

Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

CVE
#sql#xss#vulnerability#redis#nodejs#js#git#nginx#auth#ruby#postgres#docker

⚠️ This release is an important security release fixing multiple critical security issues (CVE-2023-36460, CVE-2023-36459).

Corresponding security releases are available for the 4.1.x branch and the 4.0.x branch.
If you are using nightly builds, do not use this release but update to nightly-2023-07-06-security or newer instead. If you are on the main branch, update to the latest commit.

Upgrade overview

This release contains upgrade notes that deviate from the norm:

ℹ️ Requires streaming API restart
ℹ️ There are suggested reverse proxy configuration changes
⚠️ The minimal supported ImageMagick version has been bumped to 6.9.7-7

For more information, scroll down to the upgrade instructions section.

Changelog****Changed

  • Change OpenGraph-based embeds to allow fullscreen (ClearlyClaire)
  • Change profile updates to be sent to recently-mentioned servers (ClearlyClaire)
  • Change auto-linking to allow carets in URL query params (renchap)

Removed

  • Remove invalid X-Frame-Options: ALLOWALL (ClearlyClaire)

Fixed

  • Fix soft-deleted post cleanup scheduler overwhelming the streaming server (ThisIsMissEm)
  • Fix incorrect pagination headers in /api/v2/admin/accounts (danielmbrasil)
  • Fix performance of streaming by parsing message JSON once (ThisIsMissEm, ThisIsMissEm)
  • Fix CSP headers when S3_ALIAS_HOST includes a path component (ClearlyClaire)
  • Fix tootctl accounts approve --number N not aproving N earliest registrations (danielmbrasil)
  • Fix being able to vote on your own polls (ClearlyClaire)
  • Fix race condition when reblogging a status (ClearlyClaire)
  • Fix “Authorized applications” inefficiently and incorrectly getting last use date (ClearlyClaire)
  • Fix multiple N+1s in ConversationsController (ClearlyClaire, ClearlyClaire, ClearlyClaire)
  • Fix user archive takeouts when using OpenStack Swift (ClearlyClaire)
  • Fix inefficiencies in indexing content for search (VyrCossont, VyrCossont)

Security

  • Update dependencies
  • Add hardening headers for user-uploaded files (ClearlyClaire)
  • Fix verified links possibly hiding important parts of the URL (CVE-2023-36462)
  • Fix timeout handling of outbound HTTP requests (CVE-2023-36461)
  • Fix arbitrary file creation through media processing (CVE-2023-36460)
  • Fix possible XSS in preview cards (CVE-2023-36459)

Upgrade notes

To get the code for v3.5.9, use git fetch && git checkout v3.5.9.

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Dependencies

Apart from ImageMagick, external dependencies have not changed compared to v3.5.8, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 2.7 to 3.0
  • PostgreSQL: 9.5 or newer
  • Elasticsearch (optional, for full-text search): 7.x
  • Redis: 4 or newer
  • Node: >= 12.22, < 18
  • ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 3.5.8.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install

Both Docker and non-Docker:

ℹ️ The recommended configuration for reverse proxies has been updated. Unlike updating Mastodon itself, this is not urgent, but hardening. The change is about setting Content-Security-Policy: default-src 'none’; form-action ‘none’ and X-Content-Type-Options: nosniff on assets. Check dist/nginx.conf for more information, and the documentation if you are proxying external object storage.

  1. Restart all Mastodon processes

Related news

Mastodon Vulnerability Allows Hackers to Hijack Any Decentralized Account

The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account. "Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account," the maintainers said in a terse advisory. The vulnerability, tracked as CVE-2024-23832, has a severity rating of 9.4 out of

"TootRoot" Mastodon vulnerabilities fixed: Admins, patch now!

Categories: Personal Tags: tootroot Tags: mastodon Tags: server Tags: patch Tags: update Tags: CVE Tags: flaw Tags: vulnerability Tags: social media Tags: network Tags: networking We take a look at a collection of issues (now patched) which were affecting Mastodon servers. It's time to apply the fix for TootRoot. (Read more...) The post "TootRoot" Mastodon vulnerabilities fixed: Admins, patch now! appeared first on Malwarebytes Labs.

Mastodon Social Network Patches Critical Flaws Allowing Server Takeover

Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks. Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances. The most critical vulnerability, CVE-2023-36460,

CVE-2023-36462: Merge pull request from GHSA-55j9-c3mp-6fcq · mastodon/mastodon@610731b

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907