Mastodon - Package Updates
Pinned
Mastodon
-
[1.12.6]
- Update Mastodon to 4.2.6
- This release is an important security release fixing several security issue.
- Full changelog
- Change external authentication behavior to never reattach a new identity to an existing user by default (GHSA-vm39-j3vx-pch3)
- Update the nokogiri dependency (see GHSA-xc9x-jj77-9p9j)
- Disable administrative Doorkeeper routes (ThisIsMissEm)
- Fix ongoing streaming sessions not being invalidated when applications get deleted in some cases (GHSA-7w3c-p9j8-mq3x)
- Update the sidekiq-unique-jobs dependency (see GHSA-cmh9-rx85-xj38)
-
[1.13.0]
- Update Mastodon to 4.2.7
- This release is an important security release fixing several security issue.
- With this package release, the app moves from LDAP authentication to OpenID Connect
- Full changelog
- Fix OmniAuth tests and edge cases in error handling (ClearlyClaire, ClearlyClaire)
- Fix new installs by upgrading to the latest release of the nsa gem, instead of a no longer existing commit (mjankowski)
- Fix insufficient checking of remote posts (GHSA-jhrq-qvrm-qr36)
-
[1.13.1]
- Update Mastodon to 4.2.8
- This update changes registrations to be closed by default.
- Full changelog
- Add hourly task to automatically require approval for new registrations in the absence of moderators (ClearlyClaire, ClearlyClaire)
- In order to prevent future abandoned Mastodon servers from being used for spam, harassment and other malicious activity, Mastodon will now automatically switch new user registrations to require moderator approval whenever they are left open and no activity (including non-moderation actions from apps) from any logged-in user with permission to access moderation reports has been detected in a full week.
- When this happens, users with the permission to change server settings will receive an email notification.
- This feature is disabled when EMAIL_DOMAIN_ALLOWLIST is used, and can also be disabled with DISABLE_AUTOMATIC_SWITCHING_TO_APPROVED_REGISTRATIONS=true.
- Change registrations to be closed by default on new installations (ClearlyClaire)
- If you are running a server and never changed your registrations mode from the default, updating will automatically close your registrations.
- Simply re-enable them through the administration interface or using tootctl settings registrations open if you want to enable them again.
- Fix processing of remote ActivityPub actors making use of Link objects as Image url (ClearlyClaire)
- Fix link verifications when page size exceeds 1MB (ClearlyClaire)
-
[1.13.2]
- Update Mastodon to 4.2.9
- Full changelog
- Update dependencies
- Fix private mention filtering (GHSA-5fq7-3p3j-9vrf)
- Fix password change endpoint not being rate-limited (GHSA-q3rg-xx5v-4mxh)
- Add hardening around rate-limit bypass (GHSA-c2r5-cfqr-c553)
-
[1.13.4]
- Update Mastodon to 4.2.11
- Full changelog
-
[1.13.5]
- Update Mastodon to 4.2.12
- Full changelog
- This is a hotfix release for an issue introduced in 4.2.11
-
[1.13.6]
- Update Mastodon to 4.2.13
- Full changelog
- Fix ReDoS vulnerability on some Ruby versions (GHSA-jpxp-r43f-rhvx)
- Update dependencies
- Add “A Mastodon update is available.” message on admin dashboard for non-bugfix updates (#32106 by @ClearlyClaire)
- Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire)
- Fix replies collection being cached improperly
- Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
- Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)
-
-
[1.14.0]
- Update Mastodon to 4.3.0
- Full changelog
- Add server-side notification grouping
- Add notification policies, filtered notifications and notification requests
- Add notifications of severed relationships
- Add hover cards in web UI
- Add "system" theme setting (light/dark theme depending on user system preference)
- Add timeline of public posts about a trending link
- Add author highlight for news articles whose authors are on the fediverse
-
[1.14.1]
- Update Mastodon to 4.3.1
- Full changelog