**Una, in perspective** @unascribed@sleeping.town · Sep 19, 2023, 20:09

**Una, in perspective** @unascribed@sleeping.town · Sep 19, 2023, 20:09

Una, in perspective @unascribed@sleeping.town

Sep 19, 2023, 20:09

Una, in perspective @unascribed@sleeping.town

the new mastodon security vulnerabilities

fwiw, instances that never updated to Mastodon 4.2.0 are not vulnerable to GHSA-hcqf-fw2r-52g4 (the URI validation/confused-deputy stuff)

and GHSA-2693-xr3m-jhqr (bad HTML sanitization) only applies if you have a translation service enabled

as such, only GHSA-v3xf-c9qf-j667 (the domain spoof) needs to be cherry-picked for sleeping.town, and I'm deploying that now — i've also gone ahead and cherry-picked the translation fix in the event someone else is running unstodon with translation enabled, but the uri validation fix does not even apply

commit is eeab3560fc

**Kaito / Katie Sinclaire** @KS · Sep 20, 2023, 22:19

**Kaito / Katie Sinclaire** @KS · Sep 20, 2023, 22:19

Sep 20, 2023, 22:19

Kaito / Katie Sinclaire @KS

the new mastodon security vulnerabilities

@unascribed if you cherry-picked the translation fix you probably want to cherry-pick 5d93c5f too, because it turns out the fix they pushed actually broke the entire translation service altogether on non-4.2 branches