The platform released v5.2.3 which patchs affected versions <= 4.48.1, 5.0.0 - 5.2.2 from remote code execution in locale setting. A vulnerability in an upstream library means an authenticated attacker can abuse locale input to execute arbitrary commands from a file that has previously been uploaded using the file upload functionality in the post editor.
Patched versions of Ghost add validation to the locale input to prevent execution of arbitrary files. Updating Ghost is the quickest complete solution. As a workaround, if for any reason you cannot update your Ghost instance. For more information, please follow this link or contact email@example.com and they will answer to your questions.
First thing first, please proceed to a backup. Whenever you decide to make major changes to your Droplet on Digital Ocean, it is highly recommended to create a backup before anything.
Then, access to your doplet using the terminal and entering the command line as follow :
Right after you logged in, switch h to ghost-mgr user. To upgrade or maintain the Ghost install in future, you’ll always have to become the
ghost-mgr user in order to have the correct permissions:
All tasks can be completed with the Ghost-CLI tool. Run
ghost help for an overview of available commands, or check out the Ghost-CLI docs for full details.
Once you've become the ghost-mgr user, navigate to the Ghost installation location by default using the cd command as below :
Next, you can check-update to double checked which version you're using and if there is any new version available. Bingo ! The current version is 5.2.2 and the latest versions is 5.2.3 so we can immediatly proceed to the update.
Then, we can verify which version of Ghost the server is running and ensure the update went well.
We are running Ghost v5.2.3 so everything worked perfectly. Note that if If Ghost Manager is out of date, you will want to update that first and then run ghost update again. To update Ghost Manager, use the command :
You need to pay attention to the terminal output. For example, if there are files or directories with incorrect permissions, you will be asked to run a chmod command as below :
Ghost stops and restarts by itself while updating so you don't need to add any step to the process. However, after the successful update, you can quit the ghost-mgr user using the command
exit and restart the droplet by typing
Happy blogging !