Headline
CVE-2022-24307: Release v3.3.2 · mastodon/mastodon
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
⚠️ This release is an important security release fixing CVE-2022-24307, a critical security issue.
A corresponding security release is also available for the 3.4.x branch, which is the recommended release.
Changelog****Fixed
- Fix
mastodon:webpush:generate_vapid_key
task requiring a functional environment (ClearlyClaire) - Fix spurious errors when receiving an Add activity for a private post (ClearlyClaire)
Security
- Fix error-prone SQL queries (ClearlyClaire)
- Fix not compacting incoming signed JSON-LD activities (puckipedia, ClearlyClaire) (CVE-2022-24307)
- Fix insufficient sanitization of report comments (ClearlyClaire)
- Fix stop condition of a Common Table Expression (ClearlyClaire)
- Disable legacy XSS filtering (Wonderfall)
Upgrade notes
Because this is a backport, it is not available with git pull
. Use git fetch && git checkout v3.3.2
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
External dependencies have not changed compared to v3.3.1, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 2.5 to 2.7
- PostgreSQL: 9.4 or newer
- Elasticsearch (optional, for full-text search): 5.x, 6.x or 7.x
- Redis: 4 or newer
- Node:
- Node 10: 10.0 or newer
- Node 12: 12.16 or newer
- Node 13: 13.9 or newer
- Node 14: 14.5 or newer
Compared to 3.3.0, an additional system dependency is required: shared-mime-info
, which is likely already installed on your system.
On Debian-based systems, it can be installed using apt install shared-mime-info
.
Update steps
The following instructions are for updating from 3.3.2.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker
If you’re upgrading from before 3.3.2, make sure you have shared-mime-info
installed (apt install shared-mime-info
).
- Pull the code:
git fetch && git checkout v3.3.2
- Restart
mastodon-web
andmastodon-sidekiq
:
systemctl reload mastodon-web
systemctl restart mastodon-sidekiq
Docker
The exact steps depend on your setup, but they are likely to match the following:
- Pull the code:
git fetch && git checkout v3.3.2
- Pull the prebuilt images:
docker-compose pull
, or, alternatively, build them yourself:docker-compose build --pull
- Restart all Mastodon processes:
docker-compose up -d