[Ghost] Blogging platform

, ,

No.

The branch over at GitHub - YunoHost-Apps/ghost_ynh: Ghost package for YunoHost is kept updated for the sake of having it available. However it will not work, since it contains the incompatibility with MariaDB.

Should we worry about the security updates? On Ghost forum I see an announcement that spurs everyone to update to v5.22.

"We have been made aware of a security vulnerability in Ghost 4.x between v4.46.0 and v4.48.8 and Ghost 5.x prior to v5.22.7. This is patched in the latest releases, which have already been rolled out on Ghost(Pro). Self-hosters should update to the latest versions as soon as possible.

Details:

On sites where members is enabled (this is the default) it is possible for members (unprivileged users) to make changes to newsletter settings. This gives unprivileged users the ability to view and change settings they were not intended to have access to. They are not able to escalate their privileges permanently or get access to further information. This issue was caused by a gap in our API validation for nested objects.

Ghost(Pro):

Ghost(Pro) has already been patched. We have investigated and found no evidence that the issue was exploited prior to the patch being added - meaning no customer sites have been compromised. As Ghost(Pro) is maintained by the Ghost core team, it is always patched immediately when any security incident is reported.

Patch & Workarounds:

v4.48.8 / v5.22.7 are patched for all known exploits
v4.48.9 / v5.24.1 contain deeper fixes to the API to close the potential for this vulnerability to appear elsewhere or regress

As a workaround, if for any reason you cannot update your Ghost instance, you can prevent this exploit by disabling members until an update can be performed."

Yes. None will be done in the foreseeable future.

1 Like

Luckily, I never created anything yet on the Ghost I installed :yum:
I will probably use a flat file CMS instead. Still not decided on which one
 Automad ? Bludit ? Grav ? Hmm


Outch.
It’s because yunohost should use postgresql and it’s not in todolist ?

No. Please read the Github issue on the Ghost repo.

YunoHost uses MariaDB in lieu of MySQL. Ghost will only support MySQL and says that it’s the knex library fault if an incompatibility arose.

Thanks for your time and patience.

@baudouinvh @freddewitt @GoustiFruit @mbro
I might have found a temporary workaround to fix the issue. Would you mind trying it?

To do a fresh install:
sudo yunohost app install https://github.com/YunoHost-Apps/ghost_ynh/tree/testing -f

To upgrade:
sudo yunohost app upgrade ghost -u https://github.com/YunoHost-Apps/ghost_ynh/tree/testing -F

:crossed_fingers:

1 Like

Test rapide: aucun problĂšme visible (installation seulement).
Ces messages quand mĂȘme Ă  la fin du processus:

On a un souci régulier de détection du démarrage du service, rien de bien grave.
Le problĂšme actuel porte sur l’édition de nouveaux posts, peux-tu tenter d’en Ă©diter un?

J’en ai crĂ©Ă© un nouveau → publiĂ© → OK; puis ai modifiĂ© → publiĂ© → OK; puis ai supprimĂ© aussi → OK.

Alors, quelle est cette magie: tu as résolu (contourné) le bins avec MariaDB ?

1 Like

As said on github, fresh install works with me :slight_smile:

I don’t have my test env set up at the moment, but if nobody else comes in I can volunteer in a few days to test out the upgrade. Looking at the code, though, my guess is that if fresh installs work then upgrades will too :hammer_and_wrench:

I have “simply” patched the code where the incompatibility happens. Hopefully it will not be a mouse-and-cat chase at every upgrade and they will fix it upstream soon.

1 Like

I’ve tried the upgrade route and something went wrong

I logged in as root and did not use sudo and don’t think the problem is there. Am I making a terminal syntax mistake ?

1 Like

Probably: the last option should be UPPERCASE.

2 Likes

Hum, je vois que Ghost est maintenant marqué comme cassé :

  • est-ce que c’est toujours le problĂšme de compatibilitĂ© entre mysql et mariadb ?
  • y a-t-il un espoir que les dĂ©veloppeurs de Ghost changent leur positionnement sur mariadb ?
  • ou faut-il chercher un remplacement ?

Je n’ai pas encore commencĂ© Ă  travailler sur mes sites sous Ghost, mais si je me lance, je n’ai pas envie de me retrouver avec un outil qui risque de rapidement devenir obsolĂšte, ou pour lequel les mises Ă  jour seront toujours problĂ©matiques. Je ne fais aucun reproche aux mainteneurs de yunohost, je me fais seulement du souci quant Ă  la politique des gens de chez Ghost.

En passant, Ghost a des fonctions bien sympathiques (abonnement, newsletter, commentaires) : quel CMS/blog lĂ©ger, disponible sur yunohost, aurait quelque chose d’approchant ? Sur ma liste, automad et bludit semblent toujours les plus faciles, mais je suis curieux, si quelqu’un a une expĂ©rience avec d’autres


Bonjour !

J’ai un peu dĂ©laissĂ© Ghost dĂ©solé  c’est un problĂšme avec nos tests automatisĂ©s qui plantent au moment du test de sauvegarde et restauration: YunoRunner for CI (yunohost.org)

Nos tests automatisés ne vérifient pas cela, mais a priori non.

Il faudra leur dĂ©mander. Ils se dĂ©douanent sur une bibliothĂšque qu’ils utilisent, knex.


Pour le reste de tes questions, elles sont bienvenues dans un fil dédié. :slight_smile:

1 Like

Hum, la sauvegarde et la restauration semblent OK, non ? C’est Ă  l’étape suivante, la suppression, que ça bloque ?

Bonjour Titus,
Je vois que Ghost est de nouveau fonctionnel.
Je voudrais savoir si la mise Ă  jour est toujours problĂ©matique (moult difficultĂ©s pour y arriver), avec des risques de mise en berne pendant des pĂ©riodes indĂ©finies ; ou si ces soucis sont toujours temporaires et qu’on peut continuer Ă  utiliser l’application sans s’inquiĂ©ter outre mesure.
J’aimerais bien installer Ghost pour un site, mais ces derniers mois m’ont poussĂ©s dans les bras d’autres systĂšmes. Cependant, si Ghost reste relativement safe sur Yunohost, le dilemme me hante, peut-ĂȘtre que j’y reviendrai


PS: bah, finalement, NON, je laisse tomber Ghost. Je n’ai pas envie d’ĂȘtre soumis Ă  leurs dĂ©cisions. Donc retour au boulot, sur Automad, ou peut-ĂȘtre Bludit (Automad est plus compliquĂ©, mais permet plus de choses).