Update the app Ghost to fix a security flaw

YunoHost · September 28, 2021, 9:17pm

EN

A security vulnerability has been found this week in Ghost apps, it is recommended to upgrade the Ghost application to version 4.16+.

About this vulnerability

"Ghost has found and fixed a breach that allowed unauthenticated email users to change the email addresses of arbitrary member accounts. Details can be found here.

Affected versions

The vulnerability affects Ghost versions between 3.18.0 and 4.15.0 (inclusive), which includes the version of Ghost used previously in YunoHost.

If you can’t upgrade

As a temporary measure: before upgrading, you can use the permission system to block acees to your app OR you can block the POST /members/api/send-magic-link/ endpoint with a change in nginx config.

Thanks to @slnsrt who gives us the alert

tituspijean · September 28, 2021, 10:17pm

Thank you for the report! An upgrade is being tested: Upgrade to v4.16.0 by tituspijean · Pull Request #49 · YunoHost-Apps/ghost_ynh · GitHub

slnsrt · September 28, 2021, 10:40pm

Excellent. Looking forward to the upgrade. Many thanks.

ljf · September 29, 2021, 5:02pm

@slnsrt I transformed your first message to make a security announcement.

slnsrt · September 30, 2021, 9:27pm

Many thanks to all those involved in facilitating the security patch, update and upgrade. Excellent team work.

Sincerely,
slnsrt

system · October 15, 2021, 9:27pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.