Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-24307: Release v3.3.2 · mastodon/mastodon

Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)

CVE
#sql#xss#web#debian#redis#js#git

Mastodon

⚠️ This release is an important security release fixing CVE-2022-24307, a critical security issue.

A corresponding security release is also available for the 3.4.x branch, which is the recommended release.

Changelog****Fixed

  • Fix mastodon:webpush:generate_vapid_key task requiring a functional environment (ClearlyClaire)
  • Fix spurious errors when receiving an Add activity for a private post (ClearlyClaire)

Security

  • Fix error-prone SQL queries (ClearlyClaire)
  • Fix not compacting incoming signed JSON-LD activities (puckipedia, ClearlyClaire) (CVE-2022-24307)
  • Fix insufficient sanitization of report comments (ClearlyClaire)
  • Fix stop condition of a Common Table Expression (ClearlyClaire)
  • Disable legacy XSS filtering (Wonderfall)

Upgrade notes

Because this is a backport, it is not available with git pull. Use git fetch && git checkout v3.3.2

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Dependencies

External dependencies have not changed compared to v3.3.1, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 2.5 to 2.7
  • PostgreSQL: 9.4 or newer
  • Elasticsearch (optional, for full-text search): 5.x, 6.x or 7.x
  • Redis: 4 or newer
  • Node:
    • Node 10: 10.0 or newer
    • Node 12: 12.16 or newer
    • Node 13: 13.9 or newer
    • Node 14: 14.5 or newer

Compared to 3.3.0, an additional system dependency is required: shared-mime-info, which is likely already installed on your system.
On Debian-based systems, it can be installed using apt install shared-mime-info.

Update steps

The following instructions are for updating from 3.3.2.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker

If you’re upgrading from before 3.3.2, make sure you have shared-mime-info installed (apt install shared-mime-info).

  1. Pull the code: git fetch && git checkout v3.3.2
  2. Restart mastodon-web and mastodon-sidekiq:
    systemctl reload mastodon-web
    systemctl restart mastodon-sidekiq

Docker

The exact steps depend on your setup, but they are likely to match the following:

  1. Pull the code: git fetch && git checkout v3.3.2
  2. Pull the prebuilt images: docker-compose pull, or, alternatively, build them yourself: docker-compose build --pull
  3. Restart all Mastodon processes: docker-compose up -d

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907