[Bug 277107] mastodon 4.2.7 security fix now out

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 277107] mastodon 4.2.7 security fix now out"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 17 Feb 2024 07:33:43 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277107

            Bug ID: 277107
           Summary: mastodon 4.2.7 security fix now out
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: doctor@doctor.nl2k.ab.ca

from https://github.com/mastodon/mastodon/releases/tag/v4.2.7

Warning

This release is an important security release fixing a major security issue.

Corresponding security releases are available for the 4.1.x branch, the 4.0.x
branch and the 3.5.x branch.

Note

If you are using nightly builds, do not use this release but update to
nightly.2024-02-17-security or newer instead. If you are on the main branch,
update to the latest commit.
Changelog
Fixed

    Fix OmniAuth tests and edge cases in error handling (ClearlyClaire,
ClearlyClaire)
    Fix new installs by upgrading to the latest release of the nsa gem, instead
of a no longer existing commit (mjankowski)

Security

    Fix insufficient checking of remote posts (GHSA-jhrq-qvrm-qr36)

Upgrade notes

To get the code for v4.2.7, use git fetch && git checkout v4.2.7.

Note

As always, make sure you have backups of the database before performing any
upgrades. If you are using docker-compose, this is how a backup command might
look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres >
name_of_the_backup.dump
Dependencies

With the exception of Ruby's recommended version, external dependencies have
not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch
and Redis versions are the same, that is:

    Ruby: 3.0 to 3.2
    PostgreSQL: 10 or newer
    Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should
also work)
    LibreTranslate (optional, for translations): 1.3.3 or newer
    Redis: 4 or newer
    Node: 16 or newer
    ImageMagick: 6.9.7-7 or newer

Tip

If your uploaded images are broken after the upgrade, it means your installed
ImageMagick version is older than the new minimum version (6.9.7-7), for
example if you are running Ubuntu 18.04. If this happens, you can find more
information and ways to fix it on this page.

-- 
You are receiving this mail because:
You are the assignee for the bug.