Mastodon Engineering

We just released Mastodon 4.5.10, 4.4.17, and 4.3.23.

These versions contain several medium and high severity security fixes.

Also, please note that this marks the final Mastodon v4.3 update, this branch is now unsupported. If you are still using it, please move to a newer version as soon as possible.

Full release notes and update instructions are available on the GitHub releases page.

https://github.com/mastodon/mastodon/releases

#MastoAdmin

May 20 at 1:53pmIvory for Mac
Show threadTanguy Fardet1d ago
@MastodonEngineering is there a plan to onboard admins so they can know in advance when such releases will occur?
I know some admins who where not aware they needed to keep their eyes open today šŸ˜•
Show threadRenaud Chaput1d ago
@tfardet We do announce releases in advance when they contain critical security fixes, not when the fixes of a lower severity.
Show threadTanguy Fardet1d ago
@renchap ok, from the way other projects talked about a "major security release", I imagined the vulnerability was more severe than that.
Is it a difference linked to implementation details or a difference in appreciation?
Show threadRenaud Chaput1d ago
@tfardet Mastodon is less impacted than other projects. We spent a lot of time coordinating this release after researching it and discovering that other projects were much more impacted than us by it (or a similar one that we fixed years ago)
Show threadTanguy Fardet1d ago
@renchap ok, that's reassuring, I was a bit worried by the absence on announcement despite other projects advertising that the issue was also affecting mastodon šŸ˜…
Show thread4censord  now@rustweek1d ago

@MastodonEngineering heya, the linked security advisories 404.

This has happened a few times recently, may I suggest adding that to your release checklist ?

Show threadNiklas Korz1d ago
@4censord @MastodonEngineering Isn't that intentional? They'll become public once instances had sufficient time to update.
Show thread4censord  now@rustweek1d ago

@niklaskorz it usually isnt no
The advisories are intended to give enough context so you can appropriately chose when to update and such.
Mostly because from fixes reverse engineering the vulnerability is usually very simple

This is destinct from e.g. proof of concept code, which often is not published right away.

Show threadMastodon Engineering1d ago
@4censord They are now published!
Show threadColin1d ago

@MastodonEngineering @4censord oh wow, they're not supposed to 404???
I assumed that was desired (but also super frustrating to me, because I want to find out what they're about).

This has been the case for like.. every release, forever.
Well, if not, look forward to your checklists being updated so this step is no longer missed.

Show threadKoen de Jonge - SynQ20h ago

@MastodonEngineering Iā€™m quite happy to report that almost all #Netherlands hosted mastodon servers including mastodon.nl and social.overheid.nl have been patched.

Much kudos to all the admins united in a Dutch FediAdmins signal group. šŸ„³