Post AG2OAnp7mBdsJCFfYu by djsundog@linernotes.club
(DIR) More posts by djsundog@linernotes.club
(DIR) Post #AG0SjDkhtJae4UvuEa by Mastodon@mastodon.social
2022-01-31T17:37:00Z
2 likes, 28 repeats
⚠️ We are planning to release important security fixes for #Mastodon on February 3rd, between 13:00 and 15:00 UTC.To make sure that most servers can upgrade swiftly, we will release the fixes both as v3.3.2 and v3.4.6 (they will, of course, be also available on the main branch).To make sure the upgrades on those older versions require the least intervention, with just a process restart, we have just released preparatory releases v3.3.1 and v3.4.5.Please upgrade!
(DIR) Post #AG0UbUh5Dd9YCrgIwi by Hyolobrika@mstdn.io
2022-01-31T17:59:16Z
0 likes, 0 repeats
@Mastodon @angristan
(DIR) Post #AG0avr60EpAbCYQh5E by rubenwardy@fosstodon.org
2022-01-31T19:09:11Z
0 likes, 0 repeats
@Mastodon @fosstodon @mike @kev :)
(DIR) Post #AG0b4yt8dRBdyYlPc0 by angristan@mstdn.io
2022-01-31T19:11:49Z
0 likes, 0 repeats
@Hyolobrika @Mastodon thanks
(DIR) Post #AG0b7EhcoDA9bOSC6S by Hyolobrika@mstdn.io
2022-01-31T19:12:06Z
0 likes, 0 repeats
@angristan Yw!
(DIR) Post #AG0hFLhpFpQFMcncps by thegibson@hackers.town
2022-01-31T17:54:44Z
0 likes, 0 repeats
@Mastodon Any details as to what these patches are fixing?
(DIR) Post #AG0hFMLAtWtjKfD3AW by dentaku@fnordon.de
2022-01-31T19:05:23Z
0 likes, 0 repeats
@thegibson @Mastodon It's better to hold back those details until *after* the fix is available.
(DIR) Post #AG0hFNQWr6m6hYiq9Y by adam@hax0rbana.social
2022-01-31T20:20:55Z
0 likes, 0 repeats
@dentaku @thegibson @MastodonI disagree, knowing the details sooner allows admins to deploy mitigations and monitor for attacks. Even just knowing the class of vulnerability (e.g., command injection, XSS, etc.) would be helpful.
(DIR) Post #AG0haK5sRX6ARg3BoG by thegibson@hackers.town
2022-01-31T20:24:43Z
0 likes, 0 repeats
@adam @dentaku @Mastodon I have to agree with Adam here... not saying you need to give a POC, but knowning what we are dealing with could be helpful... I saw the NodeJS comments... is it further than that?
(DIR) Post #AG0megT9h2Kslqpyz2 by Gargron@mastodon.social
2022-01-31T21:12:48Z
0 likes, 0 repeats
@thegibson @adam @dentaku @Mastodon Our policy is not to reveal details until a fix is deployable, but I can tell you the fixes released today have absolutely nothing to do with the upcoming patch except making the upgrade easier.
(DIR) Post #AG0meh0pfpH4SIasTY by adam@hax0rbana.social
2022-01-31T21:21:32Z
0 likes, 0 repeats
@Gargron @thegibson @dentaku @MastodonThanks for the clarification. I also appreciate the effort to make the upgrade process easier.I am interested in writing and contributing scripts to build .deb packages and automate these administrative commands away in the future 😃
(DIR) Post #AG0pquEucZRgoeh93w by thegibson@hackers.town
2022-01-31T21:57:22Z
0 likes, 0 repeats
@adam @Gargron @dentaku @Mastodon Easing the time and stress required to get the upgrade ready is definitely a good think to usher in acceptance of the patch.I appreciate the approach!
(DIR) Post #AG0pt2WAoTgX4PmnIG by thegibson@hackers.town
2022-01-31T21:57:42Z
0 likes, 0 repeats
@adam @Gargron @dentaku @Mastodon Easing the time and stress required to get the upgrade ready is definitely a good thing to usher in acceptance of the patch.I appreciate the approach!
(DIR) Post #AG1jV5J2OFv0CUnPHc by Claire@social.sitedethib.com
2022-01-31T17:55:09Z
0 likes, 0 repeats
#LastBoost this affects pretty much any version of Mastodon, including #GlitchSocPatches will be provided to glitch-soc as they are released for mainline MastodonIn preparation, please update to the latest #GlitchSoc commit!
(DIR) Post #AG1jV5x5zJxeCjXOim by Claire@social.sitedethib.com
2022-01-31T17:56:50Z
0 likes, 2 repeats
Also, if you are a #MastoAdmin, I would recommend you follow @Mastodon and use the bell notification feature to get important notifications!
(DIR) Post #AG1ybfdLjj9hv0tYno by dancer_xiv@shelter.moe
2022-02-01T11:09:31Z
0 likes, 0 repeats
@adam @dentaku @thegibson @Mastodon Isn't that telling in advance what is broken, will help whoever wants have "fun" with unpatched servers until they get fixed? I'd prefer patch notes released after admins had enough time to patch first. If an admin worries about patch content, s/he can always look at git and check him/herself, I think.
(DIR) Post #AG2OAmQcxmS7yvmajw by djsundog@linernotes.club
2022-02-01T15:34:52Z
0 likes, 0 repeats
@Claire hey - just upgraded GlitchSoc on the toot-lab, am now getting 500 errors. mastodon-web log showing `NoMethodError (undefined method `edited_at' for #<Status id: foo, uri: bar, account_id: baz, etc>` after the upgrade. any tips?
(DIR) Post #AG2OAnC87ARyMG0WmW by Claire@social.sitedethib.com
2022-02-01T15:48:55Z
0 likes, 0 repeats
@djsundog did you run migrations before restart mastodon-web? might be worth running tootctl cache clear too but i don't think that's needed
(DIR) Post #AG2OAnp7mBdsJCFfYu by djsundog@linernotes.club
2022-02-01T15:50:53Z
0 likes, 0 repeats
@Claire aha, I totally skipped the migrations - whoops! thanks much!
(DIR) Post #AG2OAoL1rZA9u9B9I8 by djsundog@linernotes.club
2022-02-01T15:52:46Z
1 likes, 0 repeats
@Claire confirming that did indeed resolve the issue entirely - thanks again, you're the best!
(DIR) Post #AG2oGTyt3pZzJWBfM0 by adam@hax0rbana.social
2022-02-01T20:48:56Z
0 likes, 0 repeats
@dancer_xiv @dentaku @thegibson @MastodonWhen the patch is released, or the details of the vulnerability are shared, assuming there aren't any leaks, everyone gets this info at the same time. This is true whether it happens early or laterCurrently all the servers are exploitable and could be being exploited now. Admins have no ability to add targeted monitoring for exploitation. That's why I'd prefer some details so we can write these rules
(DIR) Post #AG4lP8rHjL1FPsnKFM by pepijndevos@freeradical.zone
2022-02-02T14:56:09Z
0 likes, 0 repeats
@Mastodon @tek
(DIR) Post #AG4lP9MTrLyMydOEs4 by tek@freeradical.zone
2022-02-02T19:26:20Z
0 likes, 0 repeats
@Mastodon @pepijndevos Yep, I’m on it. We’re on 3.4.5 already.