From dd6bd0267ce4543fda79c048e2d9bc840082475f Mon Sep 17 00:00:00 2001 From: Laura Hausmann Date: Sun, 4 Feb 2024 20:41:06 +0100 Subject: [PATCH] Release: v2023.12.3 --- CHANGELOG.md | 21 +++++++++++++++++++++ package.json | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5334f41ce..db0f2693a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,24 @@ +## v2023.12.3 +### Release notes +This is a security release. Upgrading is strongly recommended, as is adding an instance-wide announcement informing your users that if they previously imported posts from Mastodon, they should check their imported post history for DMs and follower-only posts that should not be public. + +### Vulnerability explanation +The Mastodon post import feature (that has been untouched since Iceshrimp was forked from Firefish last year) did not correctly validate/set post visibility on imported posts. Due to the nature of the vulnerability, it's impossible to reconstruct which posts have been imported, and therefore we cannot restrict access to them in an update. + +### Backend +- Post imports have been disabled +- Existing posts that have the "hidden" visibility are now only accessible to the author + +### Frontend +- The UI for post imports has been removed + +### Miscellaneous +- The yarn version was updated to 4.1.0 +- The helm chart was updated + +### Attribution +This release was made possible by project contributors: Laura Hausmann & corite + ## v2023.12.2 ### Release notes This release contains minor fixes and improvements. Upgrading is recommended, especially if you have a lot of delayed jobs in your deliver queue. diff --git a/package.json b/package.json index 8e0dd6e78..0e81b30ea 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "iceshrimp", - "version": "2023.12.2", + "version": "2023.12.3", "repository": { "type": "git", "url": "https://iceshrimp.dev/iceshrimp/iceshrimp.git"