This is a beta security hotfix release. It's identical to v2024.1-beta4, except for the security mitigations listed below. Upgrading is strongly recommended for all server operators.
Mitigations:
- ActivityPub actor and note validation has been improved & now protects against cross-origin identifiers in more places, resolving a database pollution vulnerability
- Cross-origin
url properties on actor & note objects now get set to null before ingestion, resolving a clickjacking vulnerability- User resolution when processing incoming notes is now limited
Check out the full changelog for more information on this release.