NerdenatorJul 6, 2023
Mastodon
⚠️ We have just released important security fixes for the #Mastodon server software. Versions 4.1.3, 4.0.5, 3.5.9, as well as a new nightly are available now to make upgrading quick and painless. Please upgrade as soon as possible!
Jul 6, 2023 at 3:39pmWeb
Show threadOlaf KolkmanJul 6, 2023

@Mastodon

this may be useful for some here:
If during the build phase on docker you encounter
```
Bundler::HTTPError Could not fetch specs from https://rubygems.org/ due to underlying error <Net::OpenTimeout: execution expired (https://rubygems.org/specs.4.8.gz)>
```
Then an unsatisfactory workaround is to temporarily disable IPv6 on your docker daemon.

RubyGems.org | your community gem host

Show threadStéphane BortzmeyerJul 6, 2023
@olaf @Mastodon IPv6 to rubygems.org works for me. What is the problem?
Show threadSun Microdevil Pte LtdJul 6, 2023
@Mastodon CC @dean 
Show threadFilibertJul 6, 2023
@Mastodon com podem saber la versió de l'app que tenim i, per tant, si estem actualitzats?
Show threadPolJul 6, 2023
@filibert @Mastodon L @spla ja ha actualitzat, no cal que facis res 😁
Show threadfuomag9Jul 6, 2023
@Mastodon Please improve the docker container building process though! It should not take 2h to get it built and pushed!
Show threadpyreneerJul 6, 2023

@fuomag9 @Mastodon

I use the prebuilt docker image ghcr.io/mastodon/mastodon:v4.1.3 , commenting "build: . in" in the docker-compose they provide, instead of building my own, it was literally 30 seconds to update.

Maybe that works for you?

Show threadfuomag9Jul 6, 2023

@pyreneer @Mastodon You pulled the container when it was already pushed, but the GitHub action that builds and uploads it took 2:15 hours which is not great, especially in case of critical security issues (it's possible to archive arbitrary code execution in any instance simply by making a toot...)

https://github.com/mastodon/mastodon/actions/runs/5475883545/jobs/9972611758

mastodon/mastodon

Your self-hosted, globally interconnected microblogging community - mastodon/mastodon

GitHub
Show threadMelroy van den BergJul 6, 2023
@fuomag9 @Mastodon I'm also running their docker images..
Show threadSvenJul 6, 2023
@fuomag9 @Mastodon My update took 1 minute. Without docker.
Show threadfuomag9Jul 6, 2023
@sven @Mastodon deploying without docker complicates updating and worsens security. If my deployment got exploited they’d need to break out of docker to access my machine at all
Show threadSvenJul 6, 2023
@fuomag9 @Mastodon Bottom line, I just secured an instance in a minute - it took you two hours. 🤷‍♂️
Show threadSvenJul 6, 2023
@fuomag9 @Mastodon I have a script where I just need to type in the new version number and run it - there's nothing complicated about that.
Show threadfuomag9Jul 6, 2023

@sven @Mastodon it’s the same about docker. The issue here is on the mastodon’s side on slow building of containers. Furthermore, on a bare metal machine in case a dependency changes (and it did change here as well, afaik minimum node version is now 18) a simple version number change is not enough for instantly updating.

The security impact of running without containers remains

Show threadEph LeviJul 6, 2023
@Mastodon am new here and it's impossible to use android version . Can you fix it ?
Show threadEthan BlackJul 6, 2023
@Ephrlevi @Mastodon This announcement is for server admins. As long as mastodon.social updates their software (they did) then you are good.
Show threadEph LeviJul 6, 2023
@golemwire Ok😃
Show threadschuelermineJul 6, 2023
@Ephrlevi @Mastodon Try migrating to an instance with fewer people and less load. You're on one of the most popular instances and it may be struggling.
Show threadEph LeviJul 6, 2023
@anselmschueler @Mastodon Thanks .
Show threadZoeJul 6, 2023
Dear readers of social.animeprincess.net: I will upgrade my website to fix this this weekend. You have until then to hax me. GLHF.
Show threadfuomag9Jul 6, 2023
@zoe I'd recommend upgrading ASAP instead, the issue is critical (arbitrary code execution via a toot) and the vulnerability is probably going to be reversed fast by attackers
Show threadZoeJul 6, 2023
@fuomag9 Hmm alright then. Sorry hackers. animeprincess.net secured. It'd be annoying writing a "we got compromised" email to all 1 of the users.
Show threadZoeJul 7, 2023

So after looking at the mastodon security report / code commit I think I might have some idea (admittedly vague / incomplete) of how it worked.

No spoilers though I guess. Wait what is the etiquette about speculating about recent security issues anyway?

Show threadBumbleJul 6, 2023
@Mastodon Done. We got the email too. You are awesome. Thanks guys.
Show threadMeow.tar.gz  Jul 6, 2023
@Mastodon How do I fetch the nightly using git?
Show threadLiberty and Justice For AllJul 7, 2023

@ablackcatstail @Mastodon

The image is tagged:

ghcr.io/mastodon/mastodon:nightly

Show threadMatt 💩Jul 6, 2023
@Mastodon the docker build process really needs to be looked at, over 2 hours to build after release is a bit much.
Show threadFábio Rodrigues RibeiroJul 6, 2023
RT @gutocarvalho @augustocc
Show threadStilicJul 6, 2023
@Mastodon I got an error related to puma with `mastodon-web`.
What I did to fix this issue was to stop Mastodon, run `bundle install`, and restart it.
Show threadGunChleocJul 6, 2023

@Mastodon Thanks for the new version!

The upgrade instructions still need some TLC though https://mastodon.scot/@gunchleoc/110667501611817208

GunChleoc (@[email protected])

@[email protected] Could you please clarify this bit from the upgrade instructions? " The change is about setting Content-Security-Policy: default-src 'none'; form-action 'none' and X-Content-Type-Options: nosniff on assets." Does this mean we change this section only: location ~ ^/assets/ { Or should we change more sections? Thanks! #MastoAdmin

mastodon.scot
Show threadBouncing1981Jul 6, 2023
@Mastodon What does this mean for a common user? Is the user vulnerable if some instances aren't patched and how would I know if I'm part of a server that's not patched?
Show threadNicuJul 6, 2023
@Bouncing1981 @Mastodon You can see the version on the home page of your server, bottom left.
Show threadBouncing1981Jul 6, 2023
@nicu @Mastodon Can't see it on my phone. To be clear I am not running a server.
Show threadNicuJul 6, 2023
@Bouncing1981 @Mastodon I understand you don't run your own server, your account is on mastodon.social. So if you open this link https://mastodon.social/about in a browser, even on your phone, you will see the version. If it is one of the versions in original post, it means the server is patched.
Show threadBouncing1981Jul 6, 2023
@nicu @Mastodon Thanks, this makes sense. I am able to now see the about page on a web browser and get the details however it would be very convenient if we could go to the setttings->about and find this information. I am part of 10 servers, this will be a manual task 🙃🙃
Show threadNicuJul 6, 2023

@Bouncing1981 @Mastodon No worries! 🙂

And this might answer your other question (I was actually also curios about the vulnerabilities they patched)
https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/

I think the important part in this context is:
> There’s no action individual Mastodon users need to take other than to ensure that the instance they’re subscribed to has installed the updates.

Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking

Most critical of the bugs allowed attackers to root federated instances.

Ars Technica
Show threadAuntie OstaciaJul 6, 2023
@Bouncing1981 @Mastodon I'd also like to know this
Show threadKaz24Jul 6, 2023
@Mastodon just want to say thank you to all those behind the scenes that make this place possible. You’re awesome 😊
Show threadFellJul 6, 2023
@Mastodon For the lazy:
```
su - mastodon
cd live
git fetch && git checkout v4.1.3
bundle install
yarn install
sudo systemctl restart mastodon-web mastodon-streaming mastodon-sidekiq
```
Show threadteamtuckJul 6, 2023

@fell @Mastodon Or..

docker compose pull
docker compose stop
docker compose start

:D

Show threadinitiative.ulm.digitalJul 6, 2023
@fell @Mastodon why not just restart instead of stop and start? ;) for the lazy ones 😉👍
Show threadBraydJul 7, 2023
@fell @mikaelacaron here someone wrote the command. They should work in your case.
Show threadMikaela Caron 🦄Jul 7, 2023
@brayd @fell thanks I’ll take a look!
Show threadAxel MorgnerJul 6, 2023
@Mastodon Thanks for providing the update. I just upgraded our instance to v4.1.3.
Show threadBen CG 🕊️Jul 6, 2023
.@Mastodon Is this for servers to upgrade, or for users? (hi i'm new.)
https://mastodon.social/@Mastodon/110667890329356603
Show threadKimJul 6, 2023
@bencg
Servers. I'm pretty sure because they are addressing Administrators.
Show threadmakemakeJul 6, 2023
@bencg @Mastodon servers
Show threadFlorian BrochardJul 6, 2023
@bencg @Mastodon For server 😉
Show threadkaitouJul 6, 2023
@Mastodon Your upgrade process is lacking. The upgrade page says "check the release notes on the git page" but doesn't say where to find them. Adding the link with a <fill in the version here> would help. Also, mine didn't start because the ruby gems needed upgrading (no mention of that); adding a "bundle install" command in the generic upgrade instructions wouldn't hurt. (I had to run the sidekiq command by hand to find this out.)
Show threadkevJul 6, 2023
@Mastodon
howdo you do it
Show threadE RosalieJul 6, 2023
@Mastodon is this thanks to a wealthy new benefactor?
Show threadСандер (прошу, поправляйте мя)Jul 6, 2023
@Mastodon трумбета буде кус офлайн тота вечер жебы мушу робити апдейт.
Show threadJan ☕🎼🎹☁️🏋️‍♂️Jul 6, 2023
@Mastodon Seamless and fast! Thanks!
Show threadAstroHydeJul 6, 2023
@Mastodon I’ve upgraded but still finding it very slow to load posts (I’m on iPhone), any ideas for speed fixes?
Show threadMikaela Caron 🦄Jul 6, 2023

@Mastodon I have absolutely no idea how to update my server 😅

I built it kinda for fun, if anyone has any guides I’d love to see them thanks!
I pretty much followed this guide to set mine up (this was before there was the 1 click install)

https://www.linode.com/docs/guides/install-mastodon-on-ubuntu-2004/

Install a Mastodon Server on Ubuntu 20.04

This guide will show you how to install Mastodon, an open source and decentralized alternative to Twitter also part of the Fediverse, on Ubuntu 20.04.

Linode
Show threadAngelo Stavrow has movedJul 6, 2023

@mikaelacaron did you use the marketplace image on Linode? If so I used this guide to upgrade mine:

https://www.bentasker.co.uk/posts/blog/general/upgrading-a-docker-mastodon-instance-to-gain-security-fixes.html

Upgrading a docker-compose based Mastodon server to gain today's secur

Between 1300 and 1500 UTC on 6 Jul 2023, the Mastodon project released a version incorporating important security fixes. This post details the process that I used to upgrade my mastodon instance.

www.bentasker.co.uk
Show threadMikaela Caron 🦄Jul 6, 2023
@angelo no, it wasn’t available yet, but maybe this guide could still help?
Show threadAngelo Stavrow has movedJul 6, 2023
@mikaelacaron Ah, poop. It might help, but if not there might be other helpful guides here: https://www.linode.com/community/questions/24083/how-do-i-upgrade-my-mastodon-server-to-the-next-version
How do I upgrade my Mastodon server to the next version? | Linode Questions

I've had trouble upgrading my software and I think this might have to do with the way everything was installed from the Marketplace here in Linode. Can anybody point me in the right direction ...

Show threadMikaela Caron 🦄Jul 6, 2023
@angelo thank you!!