Mastodon - Package Updates
Pinned
Mastodon
-
[1.11.9]
- Update Mastodon to 4.1.7
- Full changelog
- Change remote report processing to accept reports with long comments, but truncate them (ThisIsMissEm)
- Fix blocking subdomains of an already-blocked domain (ClearlyClaire)
- Fix /api/v1/timelines/tag/:hashtag allowing for unauthenticated access when public preview is disabled (danielmbrasil)
- Fix inefficiencies in PlainTextFormatter (ClearlyClaire)
-
[1.11.10]
- Update Mastodon to 4.1.8
- Full changelog
- This release is an important security release fixing major security issues (CVE-2023-42451, CVE-2023-42452).
- Fix post edits not being forwarded as expected (ClearlyClaire)
- Fix moderator rights inconsistencies (ClearlyClaire)
- Fix crash when encountering invalid URL (ClearlyClaire)
- Fix cached posts including stale stats (ClearlyClaire)
-
[1.11.11]
- Update Mastodon to 4.1.9
- Full changelog
- Fix post translation erroring out (ClearlyClaire)
- Fix post edits not being forwarded as expected (ClearlyClaire)
- Fix moderator rights inconsistencies (ClearlyClaire)
- Fix crash when encountering invalid URL (ClearlyClaire)
- Fix cached posts including stale stats (ClearlyClaire)
- Fix uploading of video files for which ffprobe reports 0/0 average framerate (NicolaiSoeborg)
- Fix unexpected audio stream transcoding when uploaded video is eligible to passthrough (yufushiro)
- Fix missing HTML sanitization in translation API (CVE-2023-42452, GHSA-2693-xr3m-jhqr)
- Fix incorrect domain name normalization (CVE-2023-42451, GHSA-v3xf-c9qf-j667)
-
[1.12.0]
- Update Mastodon to 4.2.0
- Full changelog
- Add “Privacy and reach” tab in profile settings (Gargron, ClearlyClaire)
- This reorganized scattered privacy and reach settings to a single place, as well as improve their wording.
- Add display of out-of-band hashtags in the web interface (Gargron, arbolitoloco1, ClearlyClaire, ClearlyClaire, ClearlyClaire, Gargron, ClearlyClaire)
- Add role badges to the web interface (ClearlyClaire, Gargron)
- Add ability to pick domains to forward reports to using the forward_to_domains parameter in POST /api/v1/reports (ClearlyClaire, ClearlyClaire)
- The forward_to_domains REST API parameter is a list of strings. If it is empty or omitted, the previous behavior is maintained.
- The forward parameter still needs to be set for forward_to_domains to be taken into account.
- The forwarded-to domains can only include that of the original author and people being replied to.
- Add forwarding of reported replies to servers being replied to (Gargron, ClearlyClaire)
- Add ONE_CLICK_SSO_LOGIN environment variable to directly link to the Single-Sign On provider if there is only one sign up method available (CSDUMMI, ClearlyClaire, CSDUMMI, ClearlyClaire)
- Add webhook templating (Gargron)
- Add webhooks for local status.created, status.updated, account.updated and report.updated (VyrCossont, VyrCossont, VyrCossont)
-
[1.12.1]
- Update Mastodon to 4.2.1
- Full changelog
- Add redirection on /deck URLs for logged-out users (ClearlyClaire)
- Add support for v4.2.0 migrations to tootctl maintenance fix-duplicates (ClearlyClaire)
- Change some worker lock TTLs to be shorter-lived (ClearlyClaire)
- Change user archive export allowed period from 7 days to 6 days (suddjian)
-
[1.12.2]
- Update Mastodon to 4.2.2
- Full changelog
- Change dismissed banners to be stored server-side (ClearlyClaire)
- Change GIF max matrix size error to explicitly mention GIF files (ClearlyClaire)
- Change Follow activities delivery to bypass availability check (ShadowJonathan)
- Change single-column navigation notice to be displayed outside of the logo container (renchap, renchap)
- Change Content-Security-Policy to be tighter on media paths (ClearlyClaire)
- Change post language code to include country code when relevant (gunchleoc, ClearlyClaire)
- Fix upper border radius of onboarding columns (ClearlyClaire)
- Fix incoming status creation date not being restricted to standard ISO8601 (ClearlyClaire, ClearlyClaire)
- Fix some posts from threads received out-of-order sometimes not being inserted into timelines (ClearlyClaire)
- Fix posts from force-sensitized accounts being able to trend (ClearlyClaire)
- Fix error when trying to delete already-deleted file with OpenStack Swift (ClearlyClaire)
- Fix batch attachment deletion when using OpenStack Swift (ClearlyClaire)
- Fix processing LDSigned activities from actors with unknown public keys (ClearlyClaire)
- Fix error and incorrect URLs in /api/v1/accounts/:id/featured_tags for remote accounts (ClearlyClaire)
- Fix report processing notice not mentioning the report number when performing a custom action (ClearlyClaire)
- Fix handling of inLanguage attribute in preview card processing (ClearlyClaire)
- Fix own posts being removed from home timeline when unfollowing a used hashtag (kmycode)
- Fix some link anchors being recognized as hashtags (ClearlyClaire, ClearlyClaire)
- Fix format-dependent redirects being cached regardless of requested format (ClearlyClaire)
-
[1.12.4]
- Update Mastodon to 4.2.4
- Full changelog
- Add rate-limit of TOTP authentication attempts at controller level (ClearlyClaire)
- Fix error when processing remote files with unusually long names (ClearlyClaire)
- Fix processing of compacted single-item JSON-LD collections (ClearlyClaire)
- Retry 401 errors on replies fetching (ShadowJonathan)
- Fix RecordNotUnique errors in LinkCrawlWorker (tribela)
- Fix Mastodon not correctly processing HTTP Signatures with query strings (ClearlyClaire, ClearlyClaire)
-
[1.12.6]
- Update Mastodon to 4.2.6
- This release is an important security release fixing several security issue.
- Full changelog
- Change external authentication behavior to never reattach a new identity to an existing user by default (GHSA-vm39-j3vx-pch3)
- Update the nokogiri dependency (see GHSA-xc9x-jj77-9p9j)
- Disable administrative Doorkeeper routes (ThisIsMissEm)
- Fix ongoing streaming sessions not being invalidated when applications get deleted in some cases (GHSA-7w3c-p9j8-mq3x)
- Update the sidekiq-unique-jobs dependency (see GHSA-cmh9-rx85-xj38)
-
[1.13.0]
- Update Mastodon to 4.2.7
- This release is an important security release fixing several security issue.
- With this package release, the app moves from LDAP authentication to OpenID Connect
- Full changelog
- Fix OmniAuth tests and edge cases in error handling (ClearlyClaire, ClearlyClaire)
- Fix new installs by upgrading to the latest release of the nsa gem, instead of a no longer existing commit (mjankowski)
- Fix insufficient checking of remote posts (GHSA-jhrq-qvrm-qr36)
-
[1.13.1]
- Update Mastodon to 4.2.8
- This update changes registrations to be closed by default.
- Full changelog
- Add hourly task to automatically require approval for new registrations in the absence of moderators (ClearlyClaire, ClearlyClaire)
- In order to prevent future abandoned Mastodon servers from being used for spam, harassment and other malicious activity, Mastodon will now automatically switch new user registrations to require moderator approval whenever they are left open and no activity (including non-moderation actions from apps) from any logged-in user with permission to access moderation reports has been detected in a full week.
- When this happens, users with the permission to change server settings will receive an email notification.
- This feature is disabled when EMAIL_DOMAIN_ALLOWLIST is used, and can also be disabled with DISABLE_AUTOMATIC_SWITCHING_TO_APPROVED_REGISTRATIONS=true.
- Change registrations to be closed by default on new installations (ClearlyClaire)
- If you are running a server and never changed your registrations mode from the default, updating will automatically close your registrations.
- Simply re-enable them through the administration interface or using tootctl settings registrations open if you want to enable them again.
- Fix processing of remote ActivityPub actors making use of Link objects as Image url (ClearlyClaire)
- Fix link verifications when page size exceeds 1MB (ClearlyClaire)
-
[1.13.2]
- Update Mastodon to 4.2.9
- Full changelog
- Update dependencies
- Fix private mention filtering (GHSA-5fq7-3p3j-9vrf)
- Fix password change endpoint not being rate-limited (GHSA-q3rg-xx5v-4mxh)
- Add hardening around rate-limit bypass (GHSA-c2r5-cfqr-c553)
-
[1.13.4]
- Update Mastodon to 4.2.11
- Full changelog
-
[1.13.5]
- Update Mastodon to 4.2.12
- Full changelog
- This is a hotfix release for an issue introduced in 4.2.11
-
[1.13.6]
- Update Mastodon to 4.2.13
- Full changelog
- Fix ReDoS vulnerability on some Ruby versions (GHSA-jpxp-r43f-rhvx)
- Update dependencies
- Add “A Mastodon update is available.” message on admin dashboard for non-bugfix updates (#32106 by @ClearlyClaire)
- Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire)
- Fix replies collection being cached improperly
- Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
- Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)
-
-
[1.14.0]
- Update Mastodon to 4.3.0
- Full changelog
- Add server-side notification grouping
- Add notification policies, filtered notifications and notification requests
- Add notifications of severed relationships
- Add hover cards in web UI
- Add "system" theme setting (light/dark theme depending on user system preference)
- Add timeline of public posts about a trending link
- Add author highlight for news articles whose authors are on the fediverse
-
[1.14.1]
- Update Mastodon to 4.3.1
- Full changelog
-
[1.14.2]
- Update mastodon to 4.3.2
- Full Changelog
- Add
tootctl feeds vacuum
(#33065 by @ClearlyClaire) - Add error message when user tries to follow their own account (#31910 by @lenikadali)
- Add client_secret_expires_at to OAuth Applications (#30317 by @ThisIsMissEm)
- Change design of Content Warnings and filters (#32543 by @ClearlyClaire)
- Fix processing incoming post edits with mentions to unresolvable accounts (#33129 by @ClearlyClaire)
- Fix error when including multiple instances of
embed.js
(#33107 by @YKWeyer) - Fix inactive users' timelines being backfilled on follow and unsuspend (#33094 by @ClearlyClaire)
- Fix direct inbox delivery pushing posts into inactive followers' timelines (#33067 by @ClearlyClaire)
- Fix
TagFollow
records not being correctly handled in account operations (#33063 by @ClearlyClaire) - Fix pushing hashtag-followed posts to feeds of inactive users (#33018 by @Gargron)
- Fix duplicate notifications in notification groups when using slow mode (#33014 by @ClearlyClaire)
- Fix posts made in the future being allowed to trend (#32996 by @ClearlyClaire)
- Fix uploading higher-than-wide GIF profile picture with libvips enabled (#32911 by @ClearlyClaire)
- Fix domain attribution field having autocorrect and autocapitalize enabled (#32903 by @ClearlyClaire)
- Fix titles being escaped twice (#32889 by @ClearlyClaire)
- Fix list creation limit check (#32869 by @ClearlyClaire)
- Fix error in
tootctl email_domain_blocks
when supplying--with-dns-records
(#32863 by @mjankowski) - Fix
min_id
andmax_id
causing error in search API (#32857 by @Gargron) - Fix inefficiencies when processing removal of posts that use featured tags (#32787 by @ClearlyClaire)
- Fix alt-text pop-in not using the translated description (#32766 by @ClearlyClaire)
- Fix preview cards with long titles erroneously causing layout changes (#32678 by @ClearlyClaire)
- Fix embed modal layout on mobile (#32641 by @DismalShadowX)
- Fix and improve batch attachment deletion handling when using OpenStack Swift (#32637 by @hugogameiro)
- Fix blocks not being applied on link timeline (#32625 by @tribela)
- Fix follow counters being incorrectly changed (#32622 by @oneiros)
- Fix 'unknown' media attachment type rendering (#32613 and #32713 by @ThisIsMissEm and @renatolond)
- Fix tl language native name (#32606 by @seav)