We've discovered an issue in 2.3.2 that, in rare cases, allowed users to create accounts with the same username as existing accounts. If you have already upgraded to v2.3.2, it is recommended to upgrade to v2.3.3 as soon as possible.

v2.3.3 is a small patch and requires no extra steps, only getting the new code and restarting Mastodon.

A new rake task is included to troubleshoot/clean-up.

the "rare case" is that if you register an account, say "kaniini", somebody else can register "KaNiiNi" and it will allow it

@kaniini I think I managed to do a same-account-name registration bug with MediaWiki, like, a decade ago; you just appended an _ to the username and it let you assume that account without the _

(no idea if it got patched)

@Showfom 貌似开了新坑所以作者精力分到那边去了233

@Mastodon I don't have any tag for 2.3.3, is it normal ? As I don't update the code, I don't have the new rake take either ! Thx for help

@Gargron Many thanks ! Everything's good now. And sorry for that (I should have think of that, but don't know why, I didn't !)

@seb_vallee @Mastodon A "git pull --tags" helped for me. Maybe you could try that out.

@lukas Yes, Gargron answer me that too, I just forgot that point ! :) Thanks !

@seb_vallee I still have to get used to mastodon. As I am hosting my own instance, I somehow only see direct responses to the original toot and no responses to your question.

@Mastodon Is closing registrations a reasonable mitigation until the instance can get upgraded to 2.3.3?

@nolan @Mastodon assuming anyone you invite doesn't abuse the bug, yes

Sign in to participate in the conversation

The original server operated by the Mastodon gGmbH non-profit