HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

Ghost

>

Releases

>

4.15.1

Ghost Release: 4.15.1

Tag Name: v4.15.1

Release Date: 9/23/2021

View Release
Ghost LogoGhost

Open-source publishing platform specifically designed for professional bloggers and publications. Focuses on clean, minimalist writing and publishing experience.

Open SourceBloggingStatic Site

TL;DR

Ghost v4.15.1: Security & Email Fixes

This patch release addresses a critical security vulnerability in the member email change flow and fixes email delivery issues with Amazon SES and non-standard SMTP configurations. The update ensures proper authentication for email address changes and resolves email sending problems that were affecting some Ghost installations.

Highlight of the Release

    • Fixed critical security vulnerability in member email change flow
    • Resolved email delivery issues with Amazon SES and non-standard SMTP configurations
    • Improved authentication for member email address changes

Migration Guide

No migration steps are required for this patch release. Simply update to v4.15.1 to receive the security and bug fixes.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains an important security fix for a vulnerability in the member email change process. All Ghost installations should be updated to v4.15.1 as soon as possible, especially those with member functionality enabled.

Additionally, if you're experiencing issues with email delivery using Amazon SES or custom SMTP configurations, this update should resolve those problems.

Bug Fixes

Email Delivery Fixes

Fixed issues with email delivery that affected users with certain configurations:

  • Amazon SES Transport: Corrected authentication mechanism setup that was preventing emails from being sent through Amazon SES. The implementation now properly follows the documentation on the Nodemailer SES transport.

  • Non-standard SMTP Configuration: Addressed an issue where custom SMTP options weren't being applied when a service was specified. This was due to a change in recent Nodemailer versions. The fix ensures that custom options are properly applied to the transporter object.

These fixes were implemented by updating the @tryghost/nodemailer package dependency.

New Features

No new features were introduced in this patch release. This is a security and bug fix release focused on addressing specific issues.

Security Updates

Member Email Change Vulnerability

Fixed a security vulnerability in the member email change flow that lacked proper authentication (GHSA-65p7-pjj8-ggmr).

The update:

  • Removes support for the previous email address change flow that had insufficient authentication
  • Implements a dedicated email change flow with proper security measures
  • Updates Portal to use the new secure email change process

This change ensures that member email addresses cannot be changed without proper authentication, protecting against potential account takeovers.

Performance Improvements

No specific performance improvements were included in this patch release.

Impact Summary

Ghost v4.15.1 is a security-focused patch release that addresses a vulnerability in the member email change process and fixes email delivery issues with certain configurations. The security fix prevents unauthorized email address changes by implementing a dedicated, properly authenticated flow. The email delivery fixes ensure that installations using Amazon SES or custom SMTP configurations can reliably send emails. These changes improve the overall security and reliability of Ghost installations without introducing breaking changes or requiring migration steps.

Full Release Notes

Statistics:

File Changed5
Line Additions27
Line Deletions42
Line Changes69
Total Commits5

User Affected:

  • Need to update to protect their Ghost installation from a security vulnerability
  • Will experience improved reliability when using Amazon SES or custom SMTP configurations for email

Contributors:

renovate-botdaniellockyerallouis