by David Baker | Nov 14, 2016 | Uncategorized |
It’s been brought to our attention that some users are unable to connect to matrix.org and riot.im due to an SSL error, failing with, “NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED”. The cause of this is the Chromium bug detailed at https://bugs.chromium.org/p/chromium/issues/detail?id=664177
In short, older versions of Chrome / Chromium (including Chromium v0.53 which is the default in ubuntu) will refuse to make SSL connections to matrix.org or riot.im because they are unable to verify that the certificates are in the certificate transparency log. This is because the build of Chromium is over 10 weeks old which means it now considers its certificate transparency log to be stale.
This issue is affecting all sites using certificates signed by Symantec and its subsidiaries (which includes amazon.com).
There’s little we can do about this, short of completely changing our SSL certificate provider, but for users it should be fairly easy to work around by updating to a newer version of Chromium (which may be as simple as restarting the browser).
Update: see also https://sslmate.com/blog/post/ct_redaction_in_chrome_53 and https://news.ycombinator.com/item?id=12953172 (top of HN right now)
by Erik Johnston | Nov 8, 2016 | Uncategorized |
We were advised of a bug with the LDAP integration an hour ago that allowed unauthenticated login in certain circumstances when using an old version of the ldap3 python module (v0.9.x).
Currently, this is only known to affect the debian packages of synapse. A fix has been pushed, v0.18.2-2, and it is strongly advised for you to update as soon as possible.
Synapse installed using pip should not be affected, as pip will have bundled a newer version of the ldap3 module.
UPDATE: Synapse v0.18.3 released.
This issue only affects OS (not virtualenv) installations using v0.9.x of the ldap3 python package (e.g. Debian Stable (Jessie)). Synapse itself specifies a dependency on >v1.0 of ldap3, but as the dependency is optional there is a risk that a stale operating system dependency will be pulled in instead. To be safe, 0.18.3 of Synapse has just been released to fix the underlying problem for anyone using the older ldap3 package, regardless of their OS. https://github.com/matrix-org/synapse/releases/tag/v0.18.3 has the details.
Many thanks to Adrián Pérez for reporting the problem, and to hexa- for assistance in quickly solving it!
Signed announcement: synapse-debian-security-announcement
by Erik Johnston | Sep 8, 2016 | Uncategorized |
A small update for Synapse has been released: v0.17.2! It includes a few optimisations to reduce memory usage, as well as some security bug fixes. It’s therefore recommended to upgrade as soon as possible.
The full change log can be found on the release page.
by Erik Johnston | Aug 24, 2016 | Uncategorized |
Synapse v0.17.1 is here! It includes a bunch of bug fixes an performance improvements, as well as a brand new notifications API added by Dave.
We’ve also been busy adding more metrics into the code to help spot various performance bottlenecks, which should help in the ongoing performance improvement effort.
This also includes security fixes regarding possible XSS attacks involving the media repository – please upgrade!
The full change log can be found on the release page.
by Erik Johnston | Aug 8, 2016 | Uncategorized |
Synapse v0.17.0 is finally here, which includes a couple of security fixes so please upgrade. Other notable new things are:
- A bunch of new admin APIs, including purging locally cached data (which has been long requested to help free up disk space). See the docs folder for more details.
- Device management APIs in preparation for end to end encryption.
- Better support for LDAP authentication, thanks to Martin Weinelt! (This may break existing LDAP configuration, see PR #843 for more details.)
- Lots and lots of bug fixes and various bits of performance work.
For a full list of everything that has changed see below or the release page.
I’d also like to thank Will Hunt, Martin Weinelt and Kent Shikama for their contributions!
Changes in synapse v0.17.0 (2016-08-08)
This release contains significant security bug fixes regarding authenticating
events received over federation. PLEASE UPGRADE.
This release changes the LDAP configuration format in a backwards incompatible
way, see PR #843 for details.
Changes:
- Add federation /version API (PR #990)
- Make psutil dependency optional (PR #992)
Bug fixes:
- Fix URL preview API to exclude HTML comments in description (PR #988)
- Fix error handling of remote joins (PR #991)
Changes in synapse v0.17.0-rc4 (2016-08-05)
Changes:
- Change the way we summarize URLs when previewing (PR #973)
- Add new
/state_ids/ federation API (PR #979)
- Speed up processing of
/state/ response (PR #986)
Bug fixes:
- Fix event persistence when event has already been partially persisted (PR #975, #983, #985)
- Fix port script to also copy across backfilled events (PR #982)
Changes in synapse v0.17.0-rc3 (2016-08-02)
Changes:
- Forbid non-ASes from registering users whose names begin with ‘_’ (PR #958)
- Add some basic admin API docs (PR #963)
Bug fixes:
- Send the correct host header when fetching keys (PR #941)
- Fix joining a room that has missing auth events (PR #964)
- Fix various push bugs (PR #966, #970)
- Fix adding emails on registration (PR #968)
Changes in synapse v0.17.0-rc1 (2016-07-28)
This release changes the LDAP configuration format in a backwards incompatible
way, see PR #843 for details.
Features:
- Add purge_media_cache admin API (PR #902)
- Add deactivate account admin API (PR #903)
- Add optional pepper to password hashing (PR #907, #910 by @KentShikama)
- Add an admin option to shared secret registration (breaks backwards compat) (PR #909)
- Add purge local room history API (PR #911, #923, #924)
- Add requestToken endpoints (PR #915)
- Add an /account/deactivate endpoint (PR #921)
- Add filter param to /messages. Add ‘contains_url’ to filter. (PR #922)
- Add device_id support to /login (PR #929)
- Add device_id support to /v2/register flow. (PR #937, #942)
- Add GET /devices endpoint (PR #939, #944)
- Add GET /device/{deviceId} (PR #943)
- Add update and delete APIs for devices (PR #949)
Changes:
- Rewrite LDAP Authentication against ldap3 (PR #843 by @mweinelt)
- Linearize some federation endpoints based on (origin, room_id) (PR #879)
- Remove the legacy v0 content upload API. (PR #888)
- Use similar naming we use in email notifs for push (PR #894)
- Optionally include password hash in createUser endpoint (PR #905 by @KentShikama)
- Use a query that postgresql optimises better for get_events_around (PR #906)
- Fall back to ‘username’ if ‘user’ is not given for appservice registration. (PR #927 by @Half-Shot)
- Add metrics for psutil derived memory usage (PR #936)
- Record device_id in client_ips (PR #938)
- Send the correct host header when fetching keys (PR #941)
- Log the hostname the reCAPTCHA was completed on (PR #946)
- Make the device id on e2e key upload optional (PR #956)
- Add r0.2.0 to the “supported versions” list (PR #960)
- Don’t include name of room for invites in push (PR #961)
Bug fixes:
- Fix substitution failure in mail template (PR #887)
- Put most recent 20 messages in email notif (PR #892)
- Ensure that the guest user is in the database when upgrading accounts (PR #914)
- Fix various edge cases in auth handling (PR #919)
- Fix 500 ISE when sending alias event without a state_key (PR #925)
- Fix bug where we stored rejections in the state_group, persist all rejections (PR #948)
- Fix lack of check of if the user is banned when handling 3pid invites (PR #952)
- Fix a couple of bugs in the transaction and keyring code (PR #954, #955)
by Richard van der Hoff | Jul 14, 2016 | Uncategorized |
We’ve just released r0.2.0 of the Client-Server API specification. This release bundles up a number of clarifications and incremental improvements, as well as removing some outdated text relating to the pre-r0 event syncing APIs.
We’ve also taken the opportunity to make the license on the specifications explicit (we’re using the Apache license), and have finally settled a long-running argument on what a user ID should look like.
As ever, the evolution of the spec has been helped tremendously by contributions and bug reports from the members of community – thanks to all those who have helped it on its way!
Recent Comments