MastodonJul 6, 2023
⚠️ We have just released important security fixes for the #Mastodon server software. Versions 4.1.3, 4.0.5, 3.5.9, as well as a new nightly are available now to make upgrading quick and painless. Please upgrade as soon as possible!
Show threadBouncing1981Jul 6, 2023
@Mastodon What does this mean for a common user? Is the user vulnerable if some instances aren't patched and how would I know if I'm part of a server that's not patched?
Show threadNicuJul 6, 2023
@Bouncing1981 @Mastodon You can see the version on the home page of your server, bottom left.
Show threadBouncing1981Jul 6, 2023
@nicu @Mastodon Can't see it on my phone. To be clear I am not running a server.
Show threadNicu
@Bouncing1981 @Mastodon I understand you don't run your own server, your account is on mastodon.social. So if you open this link https://mastodon.social/about in a browser, even on your phone, you will see the version. If it is one of the versions in original post, it means the server is patched.
Jul 6, 2023 at 7:32pmWeb
Show threadBouncing1981Jul 6, 2023
@nicu @Mastodon Thanks, this makes sense. I am able to now see the about page on a web browser and get the details however it would be very convenient if we could go to the setttings->about and find this information. I am part of 10 servers, this will be a manual task 🙃🙃
Show threadNicuJul 6, 2023

@Bouncing1981 @Mastodon No worries! 🙂

And this might answer your other question (I was actually also curios about the vulnerabilities they patched)
https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/

I think the important part in this context is:
> There’s no action individual Mastodon users need to take other than to ensure that the instance they’re subscribed to has installed the updates.

Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking

Most critical of the bugs allowed attackers to root federated instances.

Ars Technica