Changelog

Security

• Fix missing limits on various federated properties GHSA-gg8q-rcg7-p79g
• Fix remote user suspension bypass GHSA-5h2f-wg8j-xqwp
• Fix missing length limits on some user-provided fields GHSA-6x3w-9g92-gvf3
• Fix missing access check for push notification settings update GHSA-f3q8-7vw3-69v4

Fixed

• Fix FeedManager#filter_from_home error when handling a reblog of a deleted status (#37486 by @ClearlyClaire)
• Fix needlessly complicated SQL query in status batch removal (#37469 by @ClearlyClaire)
• Fix Vary parsing in cache control enforcement (#37426 by @MegaManSec)
• Fix thread-unsafe ActivityPub activity dispatch (#37423 by @MegaManSec)
• Fix SignatureParser accepting duplicate parameters in HTTP Signature header (#37375 by @shleeable)

Upgrade notes

To get the code for v4.3.18, use git fetch && git checkout v4.3.18.

Dependencies

External dependencies have not changed since v4.3.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.1 or newer
• PostgreSQL: 12 or newer. PostgreSQL versions 14.0 to 14.3 are not supported as they contain a critical data-corruption bug (see v4.3.0 release notes)
• Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
• LibreTranslate (optional, for translations): 1.3.3 or newer
• Redis: 4 or newer
• Node: 18 or newer
• ImageMagick (optional if using libvips): 6.9.7-7 or newer
• libvips (optional, instead of ImageMagick): 8.13 or newer

Update steps

The following instructions are for updating from 4.3.17.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, please read the v4.3.0 release notes, as there have been multiple important changes.

Non-docker

1. Restart all Mastodon processes.

When using docker

1. Restart all Mastodon processes.