Follow
#ResPublicae has been upgraded to Mastodon v3.5.9, a security release.
https://github.com/mastodon/mastodon/releases?q=v3.5&expanded=true
The upgrade was painless. Thank you #MastoDev and especially @Claire[@]sitedethib.com for offering backports to pre-v4 releases and for the clear instructions.
While the details of CVE-2023-36459 have not been published yet, the title suggests the vulnerability may be exploitable even on an instance like ours where no third party can directly post anything.
https://github.com/mastodon/mastodon/releases?q=v3.5&expanded=true
And we're now on v3.5.10.
More information on the importance of the v3.5.9 release:
https://www.bleepingcomputer.com/news/security/critical-tootroot-bug-lets-attackers-hijack-mastodon-servers/