From adb9109a6abd0f02b0221dc0a5bf1b4ed824f364 Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 7 May 2026 16:47:19 +0200 Subject: [PATCH 1/9] Fix type of `interactingObject`, `interactionTarget` and add missing `QuoteAuthorization` (#38940) --- app/helpers/context_helper.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/helpers/context_helper.rb b/app/helpers/context_helper.rb index b0db74dfeac425..3015bc3ab9bf2a 100644 --- a/app/helpers/context_helper.rb +++ b/app/helpers/context_helper.rb @@ -58,9 +58,9 @@ module ContextHelper }, quote_authorizations: { 'gts' => 'https://gotosocial.org/ns#', - 'quoteAuthorization' => { '@id' => 'https://w3id.org/fep/044f#quoteAuthorization', '@type' => '@id' }, - 'interactingObject' => { '@id' => 'gts:interactingObject' }, - 'interactionTarget' => { '@id' => 'gts:interactionTarget' }, + 'QuoteAuthorization' => 'https://w3id.org/fep/044f#QuoteAuthorization', + 'interactingObject' => { '@id' => 'gts:interactingObject', '@type' => '@id' }, + 'interactionTarget' => { '@id' => 'gts:interactionTarget', '@type' => '@id' }, }, }.freeze From 6b2ff5b1f70622176838a6fd5c44f77471e76772 Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 23 Apr 2026 16:26:19 +0200 Subject: [PATCH 2/9] Remove unused devise strategies (#38795) --- config/initializers/devise.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 149c1b1af4abbc..2047b091572356 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -98,8 +98,6 @@ def session_cookie manager.default_strategies(scope: :user).unshift :two_factor_ldap_authenticatable if Devise.ldap_authentication manager.default_strategies(scope: :user).unshift :two_factor_pam_authenticatable if Devise.pam_authentication manager.default_strategies(scope: :user).unshift :session_activation_rememberable - manager.default_strategies(scope: :user).unshift :two_factor_authenticatable - manager.default_strategies(scope: :user).unshift :two_factor_backupable end # The secret key used by Devise. Devise uses this key to generate From 04892a064da93440810f7226000ba1c022045efd Mon Sep 17 00:00:00 2001 From: Claire Date: Tue, 12 May 2026 10:32:40 +0200 Subject: [PATCH 3/9] Update dependency `nokogiri` --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index c52f908a58ec03..34bf5f59810196 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -472,7 +472,7 @@ GEM net-smtp (0.5.1) net-protocol nio4r (2.7.5) - nokogiri (1.19.2) + nokogiri (1.19.3) mini_portile2 (~> 2.8.2) racc (~> 1.4) omniauth (2.1.4) From aa3fa52601e96a79c28d33c3f51bef24c6432c43 Mon Sep 17 00:00:00 2001 From: Claire Date: Tue, 12 May 2026 10:36:41 +0200 Subject: [PATCH 4/9] Update dependency `axios` --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index a10b31e7a64e1c..4248331e645cc4 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5807,13 +5807,13 @@ __metadata: linkType: hard "axios@npm:^1.15.0": - version: 1.15.0 - resolution: "axios@npm:1.15.0" + version: 1.15.2 + resolution: "axios@npm:1.15.2" dependencies: follow-redirects: "npm:^1.15.11" form-data: "npm:^4.0.5" proxy-from-env: "npm:^2.1.0" - checksum: 10c0/47e0f860e98d4d7aa145e89ce0cae00e1fb0f1d2485f065c21fce955ddb1dba4103a46bd0e47acd18a27208a7f62c96249e620db575521b92a968619ab133409 + checksum: 10c0/4eeae0feeaa7fdc1ef24f81f8b378fdadedf4aebdd6bf224484675160f8744cf17b9b0d1c215279979940f7e8ce463beffa2f713099612e428eac238515c81d5 languageName: node linkType: hard From 8d66457df8bdb2e1c6096402bc4d8c0a2468fb40 Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 20 May 2026 14:34:32 +0200 Subject: [PATCH 5/9] Merge commit from fork * Refactor `PrivateAddressCheck` Also ensures IPv4-mapped IPv6 addresses get properly checked no matter the version of `ipaddr`. * Add some missing IPv6 ranges from `PrivateAddressCheck` --- app/lib/private_address_check.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/app/lib/private_address_check.rb b/app/lib/private_address_check.rb index 5c4db6ffae2927..e0ba017ba3c027 100644 --- a/app/lib/private_address_check.rb +++ b/app/lib/private_address_check.rb @@ -1,7 +1,8 @@ # frozen_string_literal: true module PrivateAddressCheck - IP4_CIDR_LIST = [ + CIDR_LIST = [ + # IPv4 addresses IPAddr.new('0.0.0.0/8'), # Current network (only valid as source address) IPAddr.new('100.64.0.0/10'), # Shared Address Space IPAddr.new('172.16.0.0/12'), # Private network @@ -14,10 +15,11 @@ module PrivateAddressCheck IPAddr.new('224.0.0.0/4'), # IP multicast (former Class D network) IPAddr.new('240.0.0.0/4'), # Reserved (former Class E network) IPAddr.new('255.255.255.255'), # Broadcast - ].freeze - CIDR_LIST = (IP4_CIDR_LIST + IP4_CIDR_LIST.map(&:ipv4_mapped) + [ + # IPv6 addresses + IPAddr.new('::/128'), # Unspecified IPAddr.new('64:ff9b::/96'), # IPv4/IPv6 translation (RFC 6052) + IPAddr.new('64:ff9b:1::/48'), # IPv4/IPv6 translation (RFC 8215) IPAddr.new('100::/64'), # Discard prefix (RFC 6666) IPAddr.new('2001::/32'), # Teredo tunneling IPAddr.new('2001:10::/28'), # Deprecated (previously ORCHID) @@ -25,12 +27,14 @@ module PrivateAddressCheck IPAddr.new('2001:db8::/32'), # Addresses used in documentation and example source code IPAddr.new('2002::/16'), # 6to4 IPAddr.new('fc00::/7'), # Unique local address + IPAddr.new('3fff::/20'), # Addresses used in documentation and example source code IPAddr.new('ff00::/8'), # Multicast - ]).freeze + ].freeze module_function def private_address?(address) + address = address.native if address.ipv6? && address.ipv4_mapped? address.private? || address.loopback? || address.link_local? || CIDR_LIST.any? { |cidr| cidr.include?(address) } end end From 49a8947feff9139e8febbb96e88a8ed7a14a63f3 Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 20 May 2026 14:38:24 +0200 Subject: [PATCH 6/9] Merge commit from fork --- app/helpers/json_ld_helper.rb | 12 ++++++++++++ app/lib/activitypub/linked_data_signature.rb | 1 + .../activitypub/process_collection_service.rb | 4 ++++ 3 files changed, 17 insertions(+) diff --git a/app/helpers/json_ld_helper.rb b/app/helpers/json_ld_helper.rb index 2e331629e4895a..f833f51ff9537e 100644 --- a/app/helpers/json_ld_helper.rb +++ b/app/helpers/json_ld_helper.rb @@ -3,6 +3,8 @@ module JsonLdHelper include ContextHelper + UNSUPPORTED_JSONLD_KEYWORDS = %w(@graph @included @reverse).freeze + def equals_or_includes?(haystack, needle) haystack.is_a?(Array) ? haystack.include?(needle) : haystack == needle end @@ -118,6 +120,16 @@ def compact(json) compacted end + def unsupported_jsonld_features?(json) + if json.is_a?(Hash) + json.any? { |key, value| UNSUPPORTED_JSONLD_KEYWORDS.include?(key) || unsupported_jsonld_features?(value) } + elsif json.is_a?(Array) + json.any? { |value| unsupported_jsonld_features?(value) } + else + false + end + end + # Patches a JSON-LD document to avoid compatibility issues on redistribution # # Since compacting a JSON-LD document against Mastodon's built-in vocabulary diff --git a/app/lib/activitypub/linked_data_signature.rb b/app/lib/activitypub/linked_data_signature.rb index c42313b05ee975..62350a6f107eeb 100644 --- a/app/lib/activitypub/linked_data_signature.rb +++ b/app/lib/activitypub/linked_data_signature.rb @@ -12,6 +12,7 @@ def initialize(json) def verify_actor! return unless @json['signature'].is_a?(Hash) + return if unsupported_jsonld_features?(@json) type = @json['signature']['type'] creator_uri = @json['signature']['creator'] diff --git a/app/services/activitypub/process_collection_service.rb b/app/services/activitypub/process_collection_service.rb index 7cb4e256520ac5..6b9911706e0f32 100644 --- a/app/services/activitypub/process_collection_service.rb +++ b/app/services/activitypub/process_collection_service.rb @@ -13,6 +13,10 @@ def call(body, actor, **options) begin @json = compact(@json) if @json['signature'].is_a?(Hash) + if unsupported_jsonld_features?(@json) + Rails.logger.debug { "JSON-LD document for #{value_or_id(@json['actor'])} contains unsupported JSON-LD features" } + @json = original_json.without('signature') + end rescue JSON::LD::JsonLdError => e Rails.logger.debug { "Error when compacting JSON-LD document for #{value_or_id(@json['actor'])}: #{e.message}" } @json = original_json.without('signature') From 3a6f6247ea80818a0b64dd2b199b82bf5c76f1b3 Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 20 May 2026 14:50:11 +0200 Subject: [PATCH 7/9] Update dependency `addressable` --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 34bf5f59810196..24f9c550a6541b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -89,7 +89,7 @@ GEM securerandom (>= 0.3) tzinfo (~> 2.0, >= 2.0.5) uri (>= 0.13.1) - addressable (2.8.9) + addressable (2.9.0) public_suffix (>= 2.0.2, < 8.0) aes_key_wrap (1.1.0) android_key_attestation (0.3.0) From 6ded1397c904eaffb9c8e837460eccb3c58abcb6 Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 20 May 2026 14:50:42 +0200 Subject: [PATCH 8/9] Update dependency `devise` --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 24f9c550a6541b..df2e8703d6cb30 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -190,7 +190,7 @@ GEM irb (~> 1.10) reline (>= 0.3.8) debug_inspector (1.2.0) - devise (5.0.3) + devise (5.0.4) bcrypt (~> 3.0) orm_adapter (~> 0.1) railties (>= 7.0) From 676b5cee46aa8f23ef79d9e7d60b24cd76d9f765 Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 20 May 2026 11:12:53 +0200 Subject: [PATCH 9/9] Bump version to v4.5.10 --- CHANGELOG.md | 33 +++++++++++++++++++++++++++++++++ docker-compose.yml | 6 +++--- lib/mastodon/version.rb | 2 +- 3 files changed, 37 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56b6fbc92cf2bf..15b25a4c38e94a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,39 @@ All notable changes to this project will be documented in this file. +## [4.5.10] - 2026-05-20 + +### Security + +- Fix SSRF protection bypass ([GHSA-crr4-7rm4-8gpw](https://github.com/mastodon/mastodon/security/advisories/GHSA-crr4-7rm4-8gpw), [GHSA-xx55-4rrg-8xg6](https://github.com/mastodon/mastodon/security/advisories/GHSA-xx55-4rrg-8xg6)) +- Fix Linked-Data Signature bypass through JSON-LD graph restructuring features ([GHSA-53m7-2wrh-q839](https://github.com/mastodon/mastodon/security/advisories/GHSA-53m7-2wrh-q839), [GHSA-chgx-jx3p-rf73](https://github.com/mastodon/mastodon/security/advisories/GHSA-chgx-jx3p-rf73)) +- Updated dependencies + +### Fixed + +- Fix type of `interactingObject`, `interactionTarget` and add missing `QuoteAuthorization` (#38940 by @ClearlyClaire) + +### Removed + +- Remove unused devise strategies (#38795 by @ClearlyClaire) + +## [4.5.9] - 2026-04-15 + +### Security + +- Insufficient verification of email addresses ([GHSA-5r37-qpwq-2jhh](https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh)) +- Updated dependencies + +### Added + +- Add trademark warning to `mastodon:setup` task (#38548 by @ClearlyClaire) + +### Fixed + +- Fix definition for `quote` in JSON-LD context (#38686 by @ClearlyClaire) +- Fix being unable to disable sound for quote update notification (#38537 by @ClearlyClaire) +- Fix being able to quote someone you blocked (#38608 by @ClearlyClaire) + ## [4.5.8] - 2026-03-24 ### Security diff --git a/docker-compose.yml b/docker-compose.yml index 27496774189642..a7fbdc21698bb9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -59,7 +59,7 @@ services: web: # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes build: . - image: kmyblue:23.1 + image: kmyblue:23.2 restart: always env_file: .env.production command: bundle exec puma -C config/puma.rb @@ -83,7 +83,7 @@ services: build: dockerfile: ./streaming/Dockerfile context: . - image: kmyblue-streaming:23.1 + image: kmyblue-streaming:23.2 restart: always env_file: .env.production command: node ./streaming/index.js @@ -101,7 +101,7 @@ services: sidekiq: build: . - image: kmyblue:23.1 + image: kmyblue:23.2 restart: always env_file: .env.production command: bundle exec sidekiq diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index 96581b7270a6ce..11e80da67257df 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -13,7 +13,7 @@ def kmyblue_major end def kmyblue_minor - 1 + 2 end def kmyblue_flag