MastodonEngineering,
@MastodonEngineering@mastodon.social avatar

We are planning to release security patches for versions 3.5, 4.0, 4.1 and nightly next Tuesday, Sep 19, at 15:00 UTC. We encourage server administrators to plan for a timely upgrade to ensure their Mastodon server is protected.

untitaker,
@untitaker@woodland.cafe avatar

@MastodonEngineering @renchap if I am on nightly, do i have to wait a few hours for the next nightly to patch those CVEs or will there be an expedited, out-of-schedule nightly release?

renchap,
@renchap@oisaur.com avatar

@untitaker @MastodonEngineering You can safely update from a nightly to RC2, it contains all the commits from main

untitaker,
@untitaker@woodland.cafe avatar

@renchap @MastodonEngineering that is what i thought but the rc2 release explicitly advises against it.

https://github.com/mastodon/mastodon/releases/tag/v4.2.0-rc2

renchap,
@renchap@oisaur.com avatar

@untitaker @MastodonEngineering This has been fixed, thanks for reporting it!

how,
@how@s10y.eu avatar

Following the dramatic announcement of @MastodonEngineering that a security release will be available tomorrow at 15:00,

and due to the unavailability of a sysadmin at this time, we're going down for a couple of days.

Enjoy your life without notifications 😗

Yeah, this https://nvd.nist.gov/vuln/detail/CVE-2023-4863 is going to be harmful for a while.

Who can trust their computers now? If we ever could.

jfparis,

@MastodonEngineering At a time when people are running the RC (at your request) it would be nice for it to have a patch as well

umiamz,

@MastodonEngineering How do you upgrade from the 4.2.0 RC to the latest nightly, please?

melroy, (edited )
@melroy@mastodon.melroy.org avatar

@MastodonEngineering Using Docker :)... So I only need to do:

docker compose pull web  
docker compose pull sidekiq  
docker compose pull streaming  
docker compose run --rm web bundle exec rake db:migrate
renchap,
@renchap@oisaur.com avatar

@melroy @MastodonEngineering you should never need to clear the cache when upgrading.
And for this security release, you will not need to run migrations, only pull the new code and restart the services

melroy,
@melroy@mastodon.melroy.org avatar

@renchap @MastodonEngineering Thanks for your feedback. OK, I will remove the cache clear storage cache command. Since I use this script for all my upgrades, I always execute the db:migrate command (even if it's not needed). Of course before those commands I turn all services down, and after those commands I start them all again.

renchap,
@renchap@oisaur.com avatar

@melroy @MastodonEngineering you should not need to stop the services. You can migrate, restart, then run post-migrations, for minimal downtime.

melroy,
@melroy@mastodon.melroy.org avatar

@renchap @MastodonEngineering Thanks good to know. I'm just using Docker Compose. If some admins use a decent Kubernetes cluster, you can basically get zero down-time actually. Since the load-balancer will then automatically switch clients from the old to the new version seamlessly.

nico,
@nico@lepoulsdumonde.com avatar

deleted_by_author

    •
    melroy,
    @melroy@mastodon.melroy.org avatar

    @nico @renchap @MastodonEngineering Uh.. no? I think the original post mentioned: "Tuesday, Sep 19, at 15:00 UT"

    renchap,
    @renchap@oisaur.com avatar

    @nico @melroy @MastodonEngineering No, patches will be disclosed and merged to main when we release the patches.
    Releasing the patches might give informations about the security issues.

    melroy,
    @melroy@mastodon.melroy.org avatar

    @renchap @nico @MastodonEngineering isn't that called security by obscurity? Sorry for saying that.

    renchap,
    @renchap@oisaur.com avatar

    @melroy @nico @MastodonEngineering No, this is coordinated disclosure.
    If we publish the fixes on main before releasing the patched versions, then a malicious person could try to find out what the issue is by looking at the fixes.
    Everything will be released at the same time, fixes in git, patched versions, and security advisory.
    This is standard practice.

    iamapple2,

    @melroy Security by obscurity would be not patching and hope no one tells @renchap @nico @MastodonEngineering

    Private
    Private
    Arataka,
    @Arataka@esper.lol avatar

    @melroy @MastodonEngineering but installing from source is so much fun :pepe_LFG:

    melroy,
    @melroy@mastodon.melroy.org avatar

    @Arataka @MastodonEngineering I bet it is for Gentoo users.

    jenbanim,
    @jenbanim@mastodo.neoliber.al avatar

    Pinging @esm in case you didn't see this

    jenbanim,
    @jenbanim@mastodo.neoliber.al avatar

    @MastodonEngineering is the 4.2 beta branch affected?

    renchap,
    @renchap@oisaur.com avatar

    @jenbanim @MastodonEngineering we will release a new 4.2 RC as well

    jfparis,

    @renchap @jenbanim @MastodonEngineering Brilliant

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • GTA5RPClips
  • DreamBathrooms
  • thenastyranch
  • magazineikmin
  • Durango
  • cubers
  • Youngstown
  • mdbf
  • slotface
  • rosin
  • ngwrru68w68
  • kavyap
  • tacticalgear
  • ethstaker
  • JUstTest
  • InstantRegret
  • Leos
  • normalnudes
  • everett
  • khanakhh
  • osvaldo12
  • cisconetworking
  • modclub
  • anitta
  • tester
  • megavids
  • provamag3
  • lostlight
  • All magazines
    •