Mastodon is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Mastodon @Mastodon

We've discovered an issue in 2.3.2 that, in rare cases, allowed users to create accounts with the same username as existing accounts. If you have already upgraded to v2.3.2, it is recommended to upgrade to v2.3.3 as soon as possible.

v2.3.3 is a small patch and requires no extra steps, only getting the new code and restarting Mastodon.

A new rake task is included to troubleshoot/clean-up.

· Web · 112 · 55
the "rare case" is that if you register an account, say "kaniini", somebody else can register "KaNiiNi" and it will allow it
honesty in security advisories is so 2005

@kaniini I think I managed to do a same-account-name registration bug with MediaWiki, like, a decade ago; you just appended an _ to the username and it let you assume that account without the _

(no idea if it got patched)

@Showfom 这次还好,不用重新编译东西233333

@Showfom 貌似开了新坑所以作者精力分到那边去了233

@Mastodon I don't have any tag for 2.3.3, is it normal ? As I don't update the code, I don't have the new rake take either ! Thx for help

@seb_vallee @Mastodon do: git fetch --tags

It will download the tag.

@Gargron Many thanks ! Everything's good now. And sorry for that (I should have think of that, but don't know why, I didn't !)

@seb_vallee @Mastodon A "git pull --tags" helped for me. Maybe you could try that out.

@lukas Yes, Gargron answer me that too, I just forgot that point ! :) Thanks !

@seb_vallee I still have to get used to mastodon. As I am hosting my own instance, I somehow only see direct responses to the original toot and no responses to your question.

@Mastodon Is closing registrations a reasonable mitigation until the instance can get upgraded to 2.3.3?

@nolan @Mastodon assuming anyone you invite doesn't abuse the bug, yes