diff --git a/CHANGELOG.md b/CHANGELOG.md index 605f611bd..c79103a32 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,18 @@ All notable changes to this project will be documented in this file. +## [4.2.24] - 2025-08-05 + +### Security + +- Update dependencies +- Fix incorrect rate-limit handling [GHSA-84ch-6436-c7mg](https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg) + +### Fixed + +- Fix race condition caused by ActiveRecord query cache in `Create` critical path (#35662 by @ClearlyClaire) +- Fix WebUI crashing for accounts with `null` URL (#35651 by @ClearlyClaire) + ## [4.2.23] - 2025-07-23 ### Security diff --git a/Gemfile.lock b/Gemfile.lock index bdca97dae..e3035a5f7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -666,7 +666,7 @@ GEM rubocop-factory_bot (~> 2.22) ruby-prof (1.6.3) ruby-progressbar (1.13.0) - ruby-saml (1.18.0) + ruby-saml (1.18.1) nokogiri (>= 1.13.10) rexml ruby2_keywords (0.0.5) diff --git a/app/lib/activitypub/activity/create.rb b/app/lib/activitypub/activity/create.rb index 459278c41..972ca7c66 100644 --- a/app/lib/activitypub/activity/create.rb +++ b/app/lib/activitypub/activity/create.rb @@ -50,9 +50,11 @@ class ActivityPub::Activity::Create < ActivityPub::Activity return reject_payload! if unsupported_object_type? || non_matching_uri_hosts?(@account.uri, object_uri) || tombstone_exists? || !related_to_local_activity? with_redis_lock("create:#{object_uri}") do - return if delete_arrived_first?(object_uri) || poll_vote? + Status.uncached do + return if delete_arrived_first?(object_uri) || poll_vote? - @status = find_existing_status + @status = find_existing_status + end if @status.nil? process_status diff --git a/app/serializers/rest/account_serializer.rb b/app/serializers/rest/account_serializer.rb index 310cf1b1e..d99bd5fb6 100644 --- a/app/serializers/rest/account_serializer.rb +++ b/app/serializers/rest/account_serializer.rb @@ -63,7 +63,7 @@ class REST::AccountSerializer < ActiveModel::Serializer end def url - ActivityPub::TagManager.instance.url_for(object) + ActivityPub::TagManager.instance.url_for(object) || ActivityPub::TagManager.instance.uri_for(object) end def uri diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index d4142dc7d..a600ace9c 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -126,7 +126,7 @@ class Rack::Attack end throttle('throttle_email_confirmations/email', limit: 5, period: 30.minutes) do |req| - if req.post? && req.path_matches?('/auth/password') + if req.post? && req.path_matches?('/auth/confirmation') req.params.dig('user', 'email').presence elsif req.post? && req.path == '/api/v1/emails/confirmations' req.authenticated_user_id diff --git a/docker-compose.yml b/docker-compose.yml index 34f65f2b0..4b1fe34b6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -56,7 +56,7 @@ services: web: build: . - image: ghcr.io/mastodon/mastodon:v4.2.23 + image: ghcr.io/mastodon/mastodon:v4.2.24 restart: always env_file: .env.production command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" @@ -77,7 +77,7 @@ services: streaming: build: . - image: ghcr.io/mastodon/mastodon:v4.2.23 + image: ghcr.io/mastodon/mastodon:v4.2.24 restart: always env_file: .env.production command: node ./streaming @@ -95,7 +95,7 @@ services: sidekiq: build: . - image: ghcr.io/mastodon/mastodon:v4.2.23 + image: ghcr.io/mastodon/mastodon:v4.2.24 restart: always env_file: .env.production command: bundle exec sidekiq diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index 66897a7da..d6c03fce6 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -13,7 +13,7 @@ module Mastodon end def patch - 23 + 24 end def default_prerelease