Pleroma Release: 2.10.1 and 2.10.2

Pleroma 2.10.2 is a security release. It fixes ActivityPub failed-signature inbox retry handling and signer identity checks to prevent spoofed remote activities from being processed. This announcement also includes the previously-unannounced 2.10.1 changes. Updating is highly recommended.

Upgrade notes

From source only

1. Get new dependencies and recompile Pleroma:

   MIX_ENV=prod mix deps.get
   MIX_ENV=prod mix compile
   

Everyone

1. Run database migrations (inside Pleroma directory):
   • OTP: ./bin/pleroma_ctl migrate
   • From Source: mix ecto.migrate
2. Restart Pleroma

Backend changes in 2.10.2

Security

• ActivityPub: Fixed failed-signature inbox retry handling and signer identity checks to prevent spoofed remote activities from being processed

Backend changes in 2.10.1

Changed

• Move avatardescription and headerdescription fields to the account object
• Update Bandit to 1.10.4
• No-op code correctness improvements detected by Elixir 1.19 compiler
• Downgrade Hackney to 1.20.1
• Use a custom redirect handler to ensure MediaProxy redirects are followed with Hackney
• Update Hackney, the default HTTP client, to the latest release which supports Happy Eyeballs for improved IPv6 federation
• Paginate follow requests
• Moved Phoenix LiveDashboard to /pleroma/live_dashboard
• Add mute/block expiry to the relationship object
• Filter indexable activities before inserting indexing jobs into the queue.

Added

• Allow assigning users to reports
• Allow fine-grained announce visibilities
• Add immutable tag on cache-control header for several endpoints that’s serving the same exact things.
• Add reasonable defaults for :databaseconfigwhitelist
• Support lists exclusive param
• Add v1/instance/domain_blocks endpoint
• Add /api/v2/instance profile fields limits info used by Mastodon
• Added Oban Web dashboard located at /pleroma/oban
• Add instructions on how to run a release in docker, to make it easier to run on older distros.

Fixed

• Fix the daily email digest job which was not executing
• Encode custom emoji URLs in EmojiReact activity tags.
• Gopher: Fix Ranch listener not being stopped properly on Pleroma restart when database configuration is enabled
• Fix fetching Hubzilla Actors with alsoKnownAs as string
• Fix /phoenix/live_dashboard redirect not working when user added a path segment
• Fix 404 error codes for missing static files
• Fix OAuth app registration to accept redirect_uris as an array of strings (RFC 7591), while keeping backwards compatibility with string input.
• Correct old migrations for expiring activities and user access tokens.
• Federate votersCount correctly
• DB prune: Check if user follows hashtag with no objects before deletion
• Stop the rate limiter from crashing when run with wrong settings.
• Restore embeds route
• ReverseProxy: Recursively follow redirects until redirect_limit is reached
• Fix compilation with vips-8.18.0 with bumping to vix 0.36.0

Removed

• Docs: Removed outdated, incorrect, unmaintained and inappropriate installation documentation (Arch, NetBSD, NixOS)