Ghost Release: 5.89.5

TL;DR

Ghost v5.89.5 introduces a critical security enhancement that adds UUID verification to member endpoints that don't require a session. This update, credited to GitHub user 1337Nerd, prevents unauthorized access to member data by verifying the source of links and requests. The release also improves newsletter management security by redirecting unauthenticated users to the sign-in page.

Highlight of the Release

• Added UUID verification to member endpoints that don't require a session login
• Implemented hashed value verification to validate the source of links and requests
• Added security redirect to sign-in page for unauthenticated newsletter management access
• Fixed security vulnerability as detailed in advisory GHSA-78x2-cwp9-5j42

Migration Guide

No migration steps are required for this release. The security enhancements are implemented in a way that doesn't break existing functionality or require configuration changes.

Upgrade Recommendations

This release contains important security enhancements that protect member data and prevent unauthorized access. We strongly recommend all Ghost installations be updated to v5.89.5 as soon as possible.

The security improvements in this release address vulnerabilities in member endpoints that could potentially be exploited. Upgrading is straightforward with no breaking changes or special migration steps required.

Bug Fixes

No specific bug fixes were mentioned in this release. The changes were focused on addressing security vulnerabilities rather than fixing functional bugs.

New Features

No significant new features were added in this release. This update focuses primarily on security enhancements to existing functionality.

Security Updates

Security Enhancements

• UUID Verification for Member Endpoints: Added verification to member endpoints that don't require a session login, preventing unauthorized access to member data
• Link Source Verification: Implemented a hashed value system to verify the source of links and resulting requests for member-related actions
• Newsletter Management Protection: Added a security redirect to the sign-in page when users attempt to access newsletter management without proper authentication
• Fixed Security Vulnerability: Addressed the security issue detailed in advisory GHSA-78x2-cwp9-5j42

Credit for identifying this security issue goes to GitHub user 1337Nerd.

Performance Improvements

No specific performance improvements were mentioned in this release. The focus was on security enhancements.

Impact Summary

Ghost v5.89.5 is a security-focused release that significantly improves the protection of member data by implementing UUID verification for member endpoints that don't require a session. This prevents potential unauthorized access to member information and adds an additional layer of security to the Ghost platform.

The implementation verifies the source of links and requests through a hashed value system, ensuring that only legitimate requests are processed. Additionally, users attempting to access newsletter management without proper authentication are now redirected to the sign-in page, closing a potential security gap.

While this release doesn't introduce new features or fix functional bugs, it addresses an important security vulnerability (GHSA-78x2-cwp9-5j42) that could impact member data protection. The changes are implemented in a non-disruptive way, requiring no special migration steps or configuration changes.

Full Release Notes