Ghost Critical security update available — please update Ghost as soon as possible

Keywords: Ghost - AWS - How to - Upgrade

Description:
Critical Security Update Details here:
https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr

• How should I go about updating/upgrading Ghost?
The information contained here (https://docs.bitnami.com/general/apps/ghost/administration/upgrade/) produces errors. Approach A, the one that applies to this installation:

bitnami@ip-x.x.x.x:~$ cd /opt/bitnami/ghost
bitnami@ip-x.x.x.x:/opt/bitnami/ghost$ sudo su ghost ghost update
sh: 0: Can’t open ghost
bitnami@ip-x.x.x.x:/opt/bitnami/ghost$

And the Approach B, for good measure (though just using that username).
bitnami@ip-x.x.x.x:/opt/bitnami/ghost$ sudo su bitnami ghost update
/opt/bitnami/ghost/bin/ghost: line 2: use strict: command not found
/opt/bitnami/ghost/bin/ghost: line 4: //: Is a directory
/opt/bitnami/ghost/bin/ghost: line 5: process.title: command not found
/opt/bitnami/ghost/bin/ghost: ghost: line 7: syntax error near unexpected token (' /opt/bitnami/ghost/bin/ghost: ghost: line 7: const argv = process.argv.slice(2);’
bitnami@ip-x.x.x.x:/opt/bitnami/ghost$

By the way, I’m happy if someone details how to go about upgrading or updating Ghost, not necessarily dealing with the issues I see with the suggested process, even if that’s to confirm that what I am doing is the suggested process to get this critical update.

Because if that’s so, I now have enough experience to start a new instance in Lightsail, do all the updates (should work, right?) and then move my data from the current instance to the new. Thanks again!

Hi @jose.fandos,

Thanks for using Bitnami. I launched a fresh new instance including Ghost version 4.16.0-1, which according to the link you shared, should have the mentioned issue fixed.

Apart from that, I followed the steps in our guide to update the ghost-cli tool and also the Ghost application and I had to run a slightly different commands. Can you try if running the commands below work for you?

Before running any command, please create a server backup.

https://lightsail.aws.amazon.com/ls/docs/en_us/articles/lightsail-how-to-create-a-snapshot-of-your-instance

Also, can you tell us if your server is following the Approach A or B? Please run the next command and share the output with us

test ! -f "/opt/bitnami/common/bin/openssl" && echo "Approach A: Using system packages." || echo "Approach B: Self-contained installation."

Mine was using Approach A, and I was able to run the next command successfully

# Update ghost-cli
cd /opt/bitnami/ghost/current
sudo su ghost -c "npm install ghost-cli"

# Update Ghost application
cd /opt/bitnami/ghost
sudo su ghost -c "ghost update"

In my case, the results were:

$ sudo su ghost -c "npm install ghost-cli"
npm WARN express-brute@1.0.1 requires a peer of express@4.x but none is installed. You must install peer dependencies yourself.

+ ghost-cli@1.17.3
removed 8 packages, updated 1 package and audited 1741 packages in 33.832s

88 packages are looking for funding
  run `npm fund` for details

found 11 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

$ sudo su ghost -c "ghost update"
✔ Checking system Node.js version - found v14.17.6
ℹ Ensuring user is not logged in as ghost user [skipped]
ℹ Checking if logged in user is directory owner [skipped]
✔ Checking current folder permissions
✔ Checking memory availability
✔ Checking free space
✔ Checking for available migrations
✔ Checking for latest Ghost version
All up to date!

That was perfect! It really helps knowing which folder to run each of those two commands!

Also, I’m not running the npm audit fix, as that seems to have broken things in the past.

@gongomgra One question, in your comment, after running the Ghost update it says it found Node.js version 14.17.6. In my case it said 14.17.3. How would you go about updating that? I.e. which folder and command? Thanks!

Hi @jose.fandos.

Thanks for your message, I’m glad it worked for you! Notice I only updated the ghost command, as the working directory was already mentioned in our docs.

Regarding the Node.js version, I’m afraid it is not possible to update it on your server. You will need to launch a new server including the newer Node.js version and then migrate your Ghost information there.

Thanks! No worries. I might do that sometime in the near future, when I have another bit of time. Thanks again!

Hi @jose.fandos,

Thanks for your message. We are closing this thread as solved. Please do not hesitate to open a new one with any other questions you may have.