Skip to main content

Hey there, in case you had not noticed it, we released Friendica 2024.02-rc on Wednesday. Among the unlisted things in the release note are bug fixes for two security/privacy related bugs that have been found in 2023.12.

If you have not yet updated to the 2024.03-RC, personally I would encourage you to do so (or to the latest development branch, there the fixes are included as well). The RC branch is pretty stable and we aim for a release as early in March as possible.

In case you have not installed Friendica using git, but with the archive files, please have a look at the 2023.12 release notes and pick the latest archives from files.friendi.ca (there is already a friendica-full-2024.03-rc archive, but for the addons you need to take the friendica-addons-2024.03-dev archive as the RC branch had not seen any commits for the addons so far).

!Friendica Admins

!Friendica Admins

reshared this

in reply to Tobias

Sarah Brown
Sarah Brown
@Tobias How critical is this? I'm running via Docker and there doesn't seem to be a 2024.03-RC image yet.
@Tobias
in reply to Sarah Brown

Kana Kana
Kana Kana
One of the bug fixed in this RC seems quite serious to me (not sure what the other one is though). It allows exploits similar to those targeting a recent Mastodon CVE, so you (and any admins reading this) should definitely update as soon as possible.
If you are using Docker, the 2024.03-dev tag seems to contain the fix already (still not sure that the other fix though), so probably you can try that. (However, 2024.03-dev may be less stable than 2024.03-rc.)
in reply to Kana Kana

Sarah Brown
Sarah Brown
@Kana Kana @Tobias Ok. If I run the dev branch, will I be able to switch back to stable without nuking my database?
@Tobias @Kana Kana
in reply to Sarah Brown

Tobias
Tobias
At the very moment of the release, yes. The RC branch is merged into stable and this is merged with develop afterwards. So you can switch from develop to stable at the release point. (And likely a bit afterwards until the next changes to the DB hit develop, after this you should not switch back)
in reply to Tobias

utopiArte
utopiArte

> in the release note are bug fixes for two security/privacy related bugs that have been found in 2023.12

Are these security issues specific to 2023.12 or do they date back to older versions?

If so:
Some way to know when this security issue came up?
Some easy fix inside existing older installations to fix those security/privacy bugs?

Friendica Admins reshared this.

in reply to utopiArte

utopiArte
utopiArte

I found this issue description on github:
Fix several vulnerabilities (#13927)
https://github.com/friendica/friendica/commit/5c5d7eb04fbacbe5987bd83022b158e095d13f13

Are these the mentioned problems?
Are they only relevant/exploitable by users that have a profile on the server?

#13927

Friendica Admins reshared this.