Thanks to Roger Meyer who reported a flaw in the administration module of Friendica, we could fix a security vulnerability that could leak sensitive information from the server environment. The hotfix release 2020.07-1 includes the patch for the stable release branch of Friendica. The development and RC branches have been updated as well.
Affected versions of Friendica
All versions of Friendica since April 2019 (develop branch) and June 2019 (stable) are affected.Through the admin module environment variables of the server system can be read by anyone on the internet. Among other things this may include database passwords for Docker installs and the memcached SASL password. Therefore we recommend all node admins to change their potentially affected passwords after the upgrade to 2020.07-1. Furthermore this fix also prevents anonymous users to update node-wide addon settings.
How to Upgrade.
This information only applies to the stable release 2020.07 of Friendica. The patch has separately been added to thedevelop
and 2020.09-rc
branch of the repository.Using Git
Important: We are removing the master branch and are using the stable branch instead.Updating from the git repositories of Friendica will be a bit more complicated as you might be used to as we decided to rename the branch for the stable releases to stable. Hence you need to switch the branch you want to use, after pulling the current version of the code from the repositories. As usual, please remember to update the dependencies with composer as well.
cd friendica
git fetch
git checkout stable
git pull
Pulling in the dependencies with composer is not necessary for this hotfix release.
Using the Archive Files
If you had downloaded the source files in an archive file (tar.gz) please download the current version of the archive (https://files.friendi.ca/friendica-full-2020.07-1.tar.gz) file and unpack it on your local computer. Compared to the 2020.07 release only a few files were updated and none of the config files are affected. So you can just upload the changed files onto your server.How to Contribute
If you want to contribute to the project, you don’t need to have coding experience. There are a number of tasks listed in the issue tracker with the label “Junior Jobs https://github.com/friendica/friendica/issues?q=is%3Aopen+is%3Aissue+label%3A%22Junior+Jobs%22” we think are good for new contributors. But you are by no means limited to these – if you find a solution to a problem (even a new one) please make a pull request at https://github.com/friendica/friendica or let us know in the development forum https://forum.friendi.ca/profile/developers.Contribution to Friendica is also not limited to coding. Any contribution to the documentation https://github.com/friendica/friendica/tree/develop/doc, the translation https://www.transifex.com/Friendica/friendica/dashboard/ or advertisement materials is welcome or reporting a problem. You don’t need to deal with Git(Hub) or Transifex if you don’t like to. Just get in touch https://forum.friendi.ca/profile/helpers with us and we will get the materials to the appropriate places.
Thanks again Roger Meyer to make us aware of this problem!
friendi.ca/2020/09/08/hotfix-r…