Tag Name: v5.12.3
Release Date: 9/1/2022
GhostOpen-source publishing platform specifically designed for professional bloggers and publications. Focuses on clean, minimalist writing and publishing experience.
This minor release enhances Ghost's security by improving rate limiting for user logins and fixes an issue with email alerts for paid members during imports. The login security update changes brute force protection to be IP-based rather than username-based, providing better protection against malicious actors attempting to enumerate user accounts. Additionally, the release prevents unwanted email notifications from being sent when importing paid members.
No migration steps are required for this update. This is a drop-in replacement that can be installed without any additional configuration or changes.
This release contains an important security improvement for login protection and a bug fix for member imports. We recommend all Ghost installations update to v5.12.3 as soon as possible, especially if you:
The update is backward compatible and requires no configuration changes.
Fixed an issue where email alerts were being incorrectly sent to paid members when they were added through the Ghost importer. This resolves a problem where imported members would receive unexpected welcome emails or subscription notifications, creating confusion for both site administrators and members.
Reference: #15347
No new features were introduced in this release. This is a maintenance release focused on security improvements and bug fixes.
Improved the rate limiting mechanism for user logins to be IP-based rather than username-based. This security enhancement provides better protection against brute force attacks and prevents malicious actors from enumerating email addresses to determine valid user accounts on a Ghost site.
Previously, the rate limiting was tied to usernames, which could potentially allow attackers to determine which email addresses were associated with accounts. The new implementation blocks excessive login attempts based on the source IP address, making it significantly more difficult to perform user enumeration attacks.
Reference: #15336
No specific performance improvements were included in this release.
Ghost v5.12.3 is a minor security and bug fix release that strengthens protection against brute force login attempts by implementing IP-based rate limiting instead of username-based limiting. This change makes it more difficult for attackers to enumerate valid user accounts on a Ghost site.
The release also fixes an issue where imported paid members would receive unwanted email notifications during the import process, improving the member import experience for both administrators and members.
While small in scope, these changes enhance the security posture of Ghost installations and improve the member management experience, particularly for sites that regularly import paid members.
View the changelog for full details: v5.12.2...v5.12.3
🪄 Love open source? We're hiring Node.js Engineers to work on Ghost full-time
![github-actions[bot]](https://github.com/github-actions[bot].png){kind=small}
