Ghost Release: 2.38.1

TL;DR

Ghost 2.38.1: Security Update for oEmbed Endpoints

This release focuses on security improvements for Ghost's oEmbed functionality across all API versions (v0.1, v2, and canary). The update backports security fixes from Ghost 3.x to ensure consistent validation of fetched URLs and responses in oEmbed endpoints. Additional improvements include standardized request timeouts and user-agent consistency when making external requests.

Highlight of the Release

• Security improvements for oEmbed functionality across all API versions
• Consistent validation of fetched URLs and responses in oEmbed endpoints
• Standardized request timeouts and user-agent for external requests
• Better error handling for unavailable oEmbed endpoints

Migration Guide

No migration steps are required for this update. This is a drop-in security improvement that doesn't change any APIs or require configuration changes.

Upgrade Recommendations

This release contains important security improvements for the oEmbed functionality. All Ghost 2.x users should upgrade to version 2.38.1 as soon as possible to ensure their sites benefit from these security enhancements.

The update is backward compatible and requires no configuration changes or migration steps.

Bug Fixes

• Fixed inconsistent user-agent usage when making oEmbed requests
• Added support for schemaless URLs in v0.1 oEmbed endpoint to match existing test expectations
• Updated oEmbed API tests to use valid oEmbed responses
• Improved error handling to return validation errors instead of internal server errors when remote oEmbed endpoints are unavailable

New Features

No significant new features were added in this release. This is primarily a security-focused update that backports fixes from Ghost 3.x to the 2.x branch.

Security Updates

• Improved validation of fetched URLs in v2 oEmbed endpoint
• Enhanced response validation for oEmbed content
• Backported security fixes from Ghost 3.x to v2 and v0.1 endpoints
• Standardized security measures across all API versions (v0.1, v2, and canary)
• Implemented consistent user-agent usage for all external requests

Performance Improvements

• Added a 2-second timeout to rel="alternate" oEmbed requests to match the initial page request timeout
• Standardized timeout behavior across different types of oEmbed requests, which helps prevent hanging connections

Impact Summary

Ghost 2.38.1 is a security-focused maintenance release that improves the validation of external content embedded through oEmbed across all API versions. By backporting security fixes from Ghost 3.x, this update ensures consistent and secure handling of embedded content in Ghost 2.x installations.

The changes primarily affect how Ghost validates and processes URLs and responses when embedding external content, with additional improvements to timeout handling and user-agent consistency. These changes enhance security without requiring any configuration changes or breaking existing functionality.

While this update doesn't introduce new features, it significantly improves the security posture of Ghost installations that use embedded content, making it an important update for all Ghost 2.x users.

Full Release Notes