Salta al contenuto principale

mastodon - Collegamento all'originale
⚠️ We have just released important security fixes for the #Mastodon server software. Versions 4.1.3, 4.0.5, 3.5.9, as well as a new nightly are available now to make upgrading quick and painless. Please upgrade as soon as possible!
#mastodon
in reply to Mastodon

fuomag9
sharkey - Collegamento all'originale
fuomag9
Please improve the docker container building process though! It should not take 2h to get it built and pushed!
Questa voce è stata modificata (1 anno fa)
in reply to fuomag9

Ismael Rodríguez
mastodon - Collegamento all'originale
Ismael Rodríguez

@fuomag9
I use the prebuilt docker image ghcr.io/mastodon/mastodon:v4.1.3 , commenting "build: . in" in the docker-compose they provide, instead of building my own, it was literally 30 seconds to update.

Maybe that works for you?

@fuomag9
in reply to Ismael Rodríguez

fuomag9
sharkey - Collegamento all'originale
fuomag9

@pyreneer You pulled the container when it was already pushed, but the GitHub action that builds and uploads it took 2:15 hours which is not great, especially in case of critical security issues (it's possible to archive arbitrary code execution in any instance simply by making a toot...)

github.com/mastodon/mastodon/a…


Bump version to v4.1.3 · mastodon/mastodon@0d5781c

Your self-hosted, globally interconnected microblogging community - Bump version to v4.1.3 · mastodon/mastodon@0d5781c
GitHub
@Ismael Rodríguez
in reply to Sven

fuomag9
sharkey - Collegamento all'originale
fuomag9
@sven deploying without docker complicates updating and worsens security. If my deployment got exploited they’d need to break out of docker to access my machine at all
@Sven
in reply to fuomag9

Sven
mastodon - Collegamento all'originale
Sven
@fuomag9 Bottom line, I just secured an instance in a minute - it took you two hours. 🤷‍♂️
@fuomag9
in reply to fuomag9

Sven
mastodon - Collegamento all'originale
Sven
@fuomag9 I have a script where I just need to type in the new version number and run it - there's nothing complicated about that.
@fuomag9
in reply to Sven

fuomag9
sharkey - Collegamento all'originale
fuomag9

@sven it’s the same about docker. The issue here is on the mastodon’s side on slow building of containers. Furthermore, on a bare metal machine in case a dependency changes (and it did change here as well, afaik minimum node version is now 18) a simple version number change is not enough for instantly updating.

The security impact of running without containers remains

@Sven
in reply to Mastodon

Filibert
mastodon - Collegamento all'originale
Filibert
com podem saber la versió que tenim i, per tant, si estem actualitzats?
in reply to Mastodon

Olaf Kolkman
mastodon - Collegamento all'originale
Olaf Kolkman
this may be useful for some here:
If during the build phase on docker you encounter
```
Bundler::HTTPError Could not fetch specs from rubygems.org/ due to underlying error <Net::OpenTimeout: execution expired (rubygems.org/specs.4.8.gz)>
```
Then an unsatisfactory workaround is to temporarily disable IPv6 on your docker daemon.

RubyGems.org | your community gem host

rubygems.org
in reply to Mastodon

Eph Levi
mastodon - Collegamento all'originale
Eph Levi
am new here and it's impossible to use android version . Can you fix it ?
in reply to Mastodon

Zoe
mastodon - Collegamento all'originale
Zoe
Dear readers of social.animeprincess.net: I will upgrade my website to fix this this weekend. You have until then to hax me. GLHF.
in reply to Zoe

fuomag9
sharkey - Collegamento all'originale
fuomag9
@zoe I'd recommend upgrading ASAP instead, the issue is critical (arbitrary code execution via a toot) and the vulnerability is probably going to be reversed fast by attackers
@Zoe
in reply to fuomag9

Zoe
mastodon - Collegamento all'originale
Zoe
@fuomag9 Hmm alright then. Sorry hackers. animeprincess.net secured. It'd be annoying writing a "we got compromised" email to all 1 of the users.
@fuomag9
in reply to Mastodon

Matt 💩
mastodon - Collegamento all'originale
Matt 💩
the docker build process really needs to be looked at, over 2 hours to build after release is a bit much.
in reply to Mastodon

Stilic
mastodon - Collegamento all'originale
Stilic
I got an error related to puma with `mastodon-web`.
What I did to fix this issue was to stop Mastodon, run `bundle install`, and restart it.
in reply to Mastodon

GunChleoc
mastodon - Collegamento all'originale
GunChleoc

Thanks for the new version!

The upgrade instructions still need some TLC though mastodon.scot/@gunchleoc/11066…

in reply to Mastodon

Kaz24
mastodon - Collegamento all'originale
Kaz24
just want to say thank you to all those behind the scenes that make this place possible. You’re awesome 😊
in reply to Mastodon

Bouncing1981
mastodon - Collegamento all'originale
Bouncing1981
What does this mean for a common user? Is the user vulnerable if some instances aren't patched and how would I know if I'm part of a server that's not patched?
in reply to Mastodon

Fell 🔜 #FOSDEM
mastodon - Collegamento all'originale
Fell 🔜 #FOSDEM
For the lazy:
```
su - mastodon
cd live
git fetch && git checkout v4.1.3
bundle install
yarn install
sudo systemctl stop mastodon-web mastodon-streaming mastodon-sidekiq
sudo systemctl start mastodon-web mastodon-streaming mastodon-sidekiq
```
in reply to Mastodon

Axel Morgner
mastodon - Collegamento all'originale
Axel Morgner
Thanks for providing the update. I just upgraded our instance to v4.1.3.
in reply to Mastodon

Ben CG 🕊️
mastodon - Collegamento all'originale
Ben CG 🕊️

.@Mastodon Is this for servers to upgrade, or for users? (hi i'm new.)
mastodon.social/@Mastodon/1106…

Mastodon

2023-07-06 15:39:54


⚠️ We have just released important security fixes for the #Mastodon server software. Versions 4.1.3, 4.0.5, 3.5.9, as well as a new nightly are available now to make upgrading quick and painless. Please upgrade as soon as possible!

@Mastodon
in reply to Mastodon

kaitou
mastodon - Collegamento all'originale
kaitou
Your upgrade process is lacking. The upgrade page says "check the release notes on the git page" but doesn't say where to find them. Adding the link with a <fill in the version here> would help. Also, mine didn't start because the ruby gems needed upgrading (no mention of that); adding a "bundle install" command in the generic upgrade instructions wouldn't hurt. (I had to run the sidekiq command by hand to find this out.)
in reply to Mastodon

Сандер (прошу, поправляйте мя)
mastodon - Collegamento all'originale
Сандер (прошу, поправляйте мя)
трумбета буде кус офлайн тота вечер жебы мушу робити апдейт.
in reply to Mastodon

AstroHyde
mastodon - Collegamento all'originale
AstroHyde
I’ve upgraded but still finding it very slow to load posts (I’m on iPhone), any ideas for speed fixes?
in reply to Mastodon

Mikaela Caron 🦄
mastodon - Collegamento all'originale
Mikaela Caron 🦄

I have absolutely no idea how to update my server 😅

I built it kinda for fun, if anyone has any guides I’d love to see them thanks!
I pretty much followed this guide to set mine up (this was before there was the 1 click install)

linode.com/docs/guides/install…


Install a Mastodon Server on Ubuntu 20.04

This guide will show you how to install Mastodon, an open source and decentralized alternative to Twitter also part of the Fediverse, on Ubuntu 20.04.
Linode
in reply to Mastodon

Daniele Pantaleo 🦥
mastodon - Collegamento all'originale
Daniele Pantaleo 🦥
» released patch two hours ago
» server is patched already! ❤
in reply to Mastodon

Jeroen Habets
mastodon - Collegamento all'originale
Jeroen Habets

updated mastodon.habets.dev/ to 4.1.3.

As always: upgrade went smooth as a whistle! Thanks!

in reply to Mastodon

Phil Rudland
mastodon - Collegamento all'originale
Phil Rudland
Hi,
As this is for server software, do we normal user have to do anything?
in reply to Mastodon

Beefy Goblin
mastodon - Collegamento all'originale
Beefy Goblin
what's the advantage of using an app over the website?
in reply to Mastodon

Dr. Couts
mastodon - Collegamento all'originale
Dr. Couts
I hope it’s easier to report cyberbulling, and cyber libel here than on Twitter. I hope you will never allow and promote violence like Twitter does, especially, against women.
in reply to Mastodon

Steve Hill 🏴󠁧󠁢󠁷󠁬󠁳󠁿🇪🇺
mastodon - Collegamento all'originale
Steve Hill 🏴󠁧󠁢󠁷󠁬󠁳󠁿🇪🇺
getting "Module parse failed: Unexpected token" when running assets:precompile 🙁
in reply to Mastodon

Dennis1212
mastodon - Collegamento all'originale
Dennis1212
I don’t understand what I should/how I should update my Mastodon.
in reply to Mastodon

Vero Balderas Iglesias
mastodon - Collegamento all'originale
Vero Balderas Iglesias
do we as users have to upgrade? How?
Questa voce è stata modificata (1 anno fa)
in reply to Mastodon

Oreo
mastodon - Collegamento all'originale
Oreo
why is there nothing new under Posts for the last day? Seems like your security patch might have broken things.
Questa voce è stata modificata (1 anno fa)
in reply to Mastodon

Jeroen Habets
mastodon - Collegamento all'originale
Jeroen Habets

I just noticed 4.1.4 on github and upgraded (smooth as a whistle)

No post though...or did I miss it?

"This release addresses a few issues that were missed in the last security update and includes changelogs for both updates.

⚠️ It is a follow-up to the important 4.1.3 security release fixing multiple critical security issues (CVE-2023-36460, CVE-2023-36459)."

github.com/mastodon/mastodon/r…


Release v4.1.4 · mastodon/mastodon

This release addresses a few issues that were missed in the last security update and includes changelogs for both updates. ⚠️ It is a follow-up to the important 4.1.3 security release fixing multip...
GitHub