Merge tag 'v4.2.24'

2026-02-04 11:35:13 +00:00 · 2025-08-06 11:39:45 +08:00 · 2025-08-06 11:39:45 +08:00 · 5c898bddec
commit 5c898bddec
parent 8c8b6b6c6a ca1c58d5f6
7 changed files with 23 additions and 9 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,18 @@

 All notable changes to this project will be documented in this file.

+## [4.2.24] - 2025-08-05
+
+### Security
+
+- Update dependencies
+- Fix incorrect rate-limit handling [GHSA-84ch-6436-c7mg](https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg)
+
+### Fixed
+
+- Fix race condition caused by ActiveRecord query cache in `Create` critical path (#35662 by @ClearlyClaire)
+- Fix WebUI crashing for accounts with `null` URL (#35651 by @ClearlyClaire)
+
 ## [4.2.23] - 2025-07-23

 ### Security
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -666,7 +666,7 @@ GEM
      rubocop-factory_bot (~> 2.22)
    ruby-prof (1.6.3)
    ruby-progressbar (1.13.0)
-    ruby-saml (1.18.0)
+    ruby-saml (1.18.1)
      nokogiri (>= 1.13.10)
      rexml
    ruby2_keywords (0.0.5)
--- a/app/lib/activitypub/activity/create.rb
+++ b/app/lib/activitypub/activity/create.rb
@ -50,9 +50,11 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
    return reject_payload! if unsupported_object_type? || non_matching_uri_hosts?(@account.uri, object_uri) || tombstone_exists? || !related_to_local_activity?

    with_redis_lock("create:#{object_uri}") do
-      return if delete_arrived_first?(object_uri) || poll_vote?
+      Status.uncached do
+        return if delete_arrived_first?(object_uri) || poll_vote?

-      @status = find_existing_status
+        @status = find_existing_status
+      end

      if @status.nil?
        process_status
--- a/app/serializers/rest/account_serializer.rb
+++ b/app/serializers/rest/account_serializer.rb
@ -63,7 +63,7 @@ class REST::AccountSerializer < ActiveModel::Serializer
  end

  def url
-    ActivityPub::TagManager.instance.url_for(object)
+    ActivityPub::TagManager.instance.url_for(object) || ActivityPub::TagManager.instance.uri_for(object)
  end

  def uri
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@ -126,7 +126,7 @@ class Rack::Attack
  end

  throttle('throttle_email_confirmations/email', limit: 5, period: 30.minutes) do |req|
-    if req.post? && req.path_matches?('/auth/password')
+    if req.post? && req.path_matches?('/auth/confirmation')
      req.params.dig('user', 'email').presence
    elsif req.post? && req.path == '/api/v1/emails/confirmations'
      req.authenticated_user_id
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -56,7 +56,7 @@ services:

  web:
    build: .
-    image: ghcr.io/mastodon/mastodon:v4.2.23
+    image: ghcr.io/mastodon/mastodon:v4.2.24
    restart: always
    env_file: .env.production
    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
@ -77,7 +77,7 @@ services:

  streaming:
    build: .
-    image: ghcr.io/mastodon/mastodon:v4.2.23
+    image: ghcr.io/mastodon/mastodon:v4.2.24
    restart: always
    env_file: .env.production
    command: node ./streaming
@ -95,7 +95,7 @@ services:

  sidekiq:
    build: .
-    image: ghcr.io/mastodon/mastodon:v4.2.23
+    image: ghcr.io/mastodon/mastodon:v4.2.24
    restart: always
    env_file: .env.production
    command: bundle exec sidekiq
--- a/lib/mastodon/version.rb
+++ b/lib/mastodon/version.rb
@ -13,7 +13,7 @@ module Mastodon
    end

    def patch
-      23
+      24
    end

    def default_prerelease