We will be releasing a security update to matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2 and clients which implement end-to-end encryption with these libraries, to patch critical security issues, on Wed, Sept 28th. The releases will be published in the afternoon, followed by the disclosure blog post around 16:00 UTC. The affected clients include Element Web, Desktop, iOS and Android. We will also be working with downstream packagers and forks over the coming days to ensure a synchronised release to address affected clients.
Clients using matrix-rust-sdk, hydrogen-sdk and matrix-nio are not affected by these critical issues. We are also auditing third-party client SDKs and clients in advance of the release, and will work with the projects if action is needed. So far we've confirmed that other popular SDK/clients including mtxclient (nheko), Matrix Dart SDK (FluffyChat), Trixnity (Timmy), Syphon, mautrix-go (Gomuks) and mautrix-python are not affected by the issues in question.
If you maintain or package a (potentially) affected E2EE-capable Matrix client and need to coordinate on the release, please contact [email protected].
We advise to upgrade as soon as possible after the patched versions are released.
Thank you for your patience while we work to resolve this issue.
The details of the final vulnerability will be released at a later date,
pending an audit of the codebase to ensure it's not affected by other similar
vulnerabilities.
The vulnerabilities have been patched in node-irc version 1.3.0 and
matrix-appservice-irc 0.35.0. You can get the release on
Github.
The bridges running on the Libera Chat, OFTC and other networks bridged by the
Matrix.org Foundation have been patched.
Please upgrade your IRC bridge as soon as possible.
The above vulnerabilities were reported by Val
Lorentz. Thank you!
Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk to
patch a couple of High severity vulnerabilities (reserved as
CVE-2022-36059
for the matrix-js-sdk and
CVE-2022-36060
for the matrix-react-sdk).
Affected clients include those which depend on the affected libraries, such as
Element Web/Desktop and Cinny. Releases of the affected clients will follow
shortly. We advise users of those clients to upgrade at their earliest
convenience.
The vulnerabilities give an adversary who you share a room with the ability to
carry out a denial-of-service attack against the affected clients, making it
not show all of a user's rooms or spaces and/or causing minor temporary
corruption.
The full vulnerability details will be disclosed at a later date, to give
people time to upgrade and us to perform a more thorough audit of the codebase.
Note that while the vulnerability was to our knowledge never exploited
maliciously, some unintentional public testing has left some people affected by
the bug. We made a best effort to sanitize this to stop the breakage. If you
are affected, you may still need to clear the cache and reload your Matrix
client for it to take effect.
We thank Val Lorentz who discovered and
reported the vulnerability over the weekend.
Following up on last week's tutorial about using Docker Compose to install Synapse, this week Thib explains how to use Ansible to deploy your own Matrix homeserver.
Earlier in the year, t2bot.io passed 1 Million known rooms and now it's passed 10 Million bridged users (10,039,915 users to be exact, at time of writing). Most of these users will be people who have participated in a channel/chat on Discord or Telegram that was bridged to Matrix through t2bot.io's free service, with about 500 thousand being active each month.
Approximately 8 Million of the users are from Telegram, covering about 11% of all Telegram users (previously 15% based on information available at the time). The remaining 2 Million are Discord users, roughly 0.5% of Discord's user base. For perspective, t2bot.io has just over 683 Million events in the database and is bridging between 30 and 40 thousand people a day.
Like last time, this is just a milestone update, though it's also a good reminder to host your own server if you can. Element's own hosting platform is a great option if you'd like to have a server without running it yourself, and Beeper offers a richer bridging experience than t2bot.io can feasibly provide. If you'd like to go down the self-hosting route, check out Thib's video guide on hosting synapse or last week's Matrix Live for a better understanding of what hosting Synapse actually means.
As for an interesting statistic: despite not having much functionality that deals with Spaces, t2bot.io can see 2687 Spaces from the wider world. The plan in the coming months is to support a way to bridge a whole Discord server to a Matrix Space, making this statistic hopefully more interesting as time goes on.
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://matrix.org/docs/spec/proposals.
The Spec Core Team has been continuing to push forward on the spec. Several new MSCs have been opened recently. The Spec Core Team is available in #sct-office:matrix.org when MSC authors think that they are ready for primetime.
Bridges sometimes are unable to relay messages to the remote service for one reason or another. This MSC proposes a way to allow bridges to indicate that a message failed to be delivered, and allow users to tell the bridge to retry.
Usman's internship, working on Favourite Messages, is coming to an end! Check out Usman's blog post and Andy's blog post! To follow progress on Favourite Messages (which is still very much a prototype), check out the tracking issue: Tracking issue for Favourite Messages. Thanks to Usman for being an awesome mentee!
This week we've released Synapse 1.66.0rc1! This upcoming release deprecates delegating email validation to an identity server (more info here) and includes improved validation around user-interactive authentication, support for a couple of experimental features, as well as the usual batch of bug fixes and performance improvements π
As always, any help with testing and feedback on this RC is appreciated! Feel free to drop any feedback or bug report in #synapse:matrix.org and the Synapse repo respectively.
This week we released Dendrite 0.9.5 which includes a number of fixes, particularly for federation:
The roomserver will now correctly unreject previously rejected events if necessary when reprocessing
The handling of event soft-failure has been improved on the roomserver input by no longer applying rejection rules and still calculating state before the event if possible
The federation /state and /state_ids endpoints should now return the correct error code when the state isn't known instead of returning a HTTP 500
The federation /event should now return outlier events correctly instead of returning a HTTP 500
A bug in the federation backoff allowing zero intervals has been corrected
The create-account utility will no longer error if the homeserver URL ends in a trailing slash
A regression in /sync introduced in 0.9.4 should be fixed
As always, please feel free to join us in #dendrite:matrix.org for more Dendrite-related discussion.
Thanks to Aine of etke.cc, matrix-docker-ansible-deploy can now set up the new Postmoogle email bridge/bot. Postmoogle is like the email2matrix bridge (also already supported by the playbook), but more capable and with the intention to soon support sending emails, not just receiving.
Quadrix v1.2.5 has been released! The update is already available for Linux, MacOS and iOS. The Windows and Android updates are awaiting approval from the respective stores. This release has mostly "under the hood" improvements (upgrade to React Native 0.69, React 18 and other key dependencies), but also fixes a few bugs and brings minor UI improvements.
Great news: Quadrix finally made it to https://matrix.org/clients/ :-) Many thanks to @madlittlemods:matrix.org!!!
Please leave feedback/comments at #quadrix:matrix.org or in the issues at https://github.com/alariej/quadrix (stars welcome :-))
In labs (you can enable labs features in settings on develop.element.io or on Nightly):
Weβre working hard on updating Threads, squashing bugs and improving performance. We have several MSCs open introducing new functionality to read receipts so that notifications work better than ever.
Weβre working hard on making the new layout ready for general use, squashing bugs and taking names until everything is in tip top shape. We have a test flight build out: weβve delayed the release to next week while we iron out the last creases.
In ElementX land we have started on adding analytics and Xcode Cloud support and have updated our logging strategy. We will also start adopting sliding sync and using the new Rust Timeline providers
Element Call v0.2.7 and v0.2.8 have been released this past week, adding local volume control, full screen mode, audio in screen sharing and, ahem, fixing an embarrassing bug where we broke walkie-talkie mode... π Oh, and it's also all in TypeScript now. π https://github.com/vector-im/element-call/releases/tag/v0.2.7
With a few people out of office, this weeks has been one of the more quiet ones, but progress has been made non-the-less. Again a lot happens in draft PRs and the background, like with the upcoming Timeline API but also the path forward for integrating the crypto bindings into the js-sdk. There are a few notable PRs merged this week still improving the API (#972 and #973, #961), upgrading to latest ruma, removing dependencies (parking_lot) to improve compile times as well as merging the release infrastructure for crypto-js.
π Wanna hack on matrix rust? Go check out our help wanted tagged issues and join our matrix channel at Matrix Rust SDK.
This new bot allows users to use webhooks to forward monitoring alerts (e.g from prometheus) to matrix rooms. This means that you no longer have to use E-Mail or Slack to receive alerts. To set it up visit Github Alertmanager or
join #alertbot:hyteck.de
Matrix AI that generates messages based off other users' messages using a neural network. The bot trains its GPT-2 model using the CPU and is written in JavaScript (Node.JS) and Python. The project's code can be found here.
Hi all,
quite a lot happened since the last twim post a few months ago.
In a nutshell, we refactored the feed page and user page for a better viewing experience. We also now allow displaying and commenting post images in a dedicated view.
Also, you can now send follow request using knocking, thanks to profile as space support. (Yes, MSC is coming)
Finally, we have now multi account support, better stories display and refactored login and settings page.
Well... we almost modified everything :D
See more at https://minestrix.henri2h.fr/posts/
Stay tuned, event organization is coming soon (you can see the first implementation in the blog post.
PS: For those at the Matrix summit, I will be presenting it tomorrow
I recently made a blog post / video walk through of Matrix, hopefully it will be helpful to someone:
https://www.covingtoncreations.com/blog/what-can-matrix-do-for-your-organization
Have you ever felt lost in the Matrix world? Too many rooms and spaces to manage? Well, back by popular demand (with Timo's blessing), I present, The Room of the Week! Every week we strive to highlight a room or a space that we believe deserves attention for discussing interesting going on across the Matrix Network.
This week on room of the week:
We Are All Tech enthusiasts on The Matrix Network, but do you ever experience Tech burnout? Do you ever wish you could find discussions in The Matrix Universe about things other than Tech? Well, this week we bring you a very technical solution!
A space where you will find information about everything except technology. Groups are helpfully categorized by Subspace, and feature discussions about everything from musical instruments to beverages. If it isn't about computing, it's there.
If you have a room you wish to see highlighted, join us at:
https://matrix.to/#/!bIyiUUnriVoHtYzuPS:fachschaften.org?via=chat.shawnsorbom.net&via=matrix.org&via=fachschaften.org
To get your favorite room of the week highlighted.
Matthew shared with us the Matrix Summer Special 2022! Come read all about what's happened in Matrix-land so far this year, and what's coming up next, right here: https://matrix.org/blog/2022/08/15/the-matrix-summer-special-2022
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://matrix.org/docs/spec/proposals.
This week the Spec Core Team focused on improvements to the spec source itself. richvdh opened a PR for edit events, and yours truly did a small PR to clarify the required state of the response to /_matrix/client/v3/login/.
There's a lot more open issues available for people to tackle however, so feel free to get involved and help out if you have some spare time!
Finally other than the usual rounds of review by the team, I've been working on a spec process document that aims to explain the practical portions of the text found at https://spec.matrix.org/proposals/, but in a easily scannable manner. Look out for a PR with that in the near future.
Historically, widgets have laid outside of the spec and have only been implemented in a small subset of clients - mainly Element. As of recent weeks though, there's now a team at Element backing the feature. So exciting times ahead!
Regardless, let's highlight this MSC! It solves a crucial problem with a simple solution. Widgets can ask the client they're embedded in to do certain things (if granted certain capabilities), and the client, potentially after asking the user for permission, can allow or deny those actions. This MSC adds the machinery for a further step: the client will tell the widget what capabilities they requested were allowed, and which were denied.
I believe this spec is non-contentious, but is blocked on widgets entering the spec as a whole. Regardless, if this particular piece of the puzzle interests you, or you'd like to read all about widgets in general, the see either the MSC above or this widget spec tracking PR: https://github.com/matrix-org/matrix.org/pull/825.
It's the last days of summer here and we are toiling away at making Synapse faster and leaner! In addition to continued work on faster joins, we released Synapse v1.65.0, with new features such as support for stable prefixes for private read receipts and a new module API method for creating a room (plus some other features!), as well as a host of bugfixes and internal changes to make Synapse faster and more stable.
Make sure to check it out!
This week we released Dendrite 0.9.4, containing primarily bug fixes:
A bug in the roomserver around handling rejected outliers has been fixed
Backfilled events will now use the correct history visibility where possible
The device list updater backoff has been fixed, which should reduce the number of outbound HTTP requests and Failed to query device keys for some users log entries for dead servers
The /sync endpoint will no longer incorrectly return room entries for retired invites which could cause some rooms to show up in the client "Historical" section
The /createRoom endpoint will now correctly populate is_direct in invite membership events, which may help clients to classify direct messages correctly
The create-account tool will now log an error if the shared secret is not set in the Dendrite config
A couple of minor bugs have been fixed in the membership lazy-loading
Queued EDUs in the federation API are now cached properly
As always, please feel free to join us in #dendrite:matrix.org for more Dendrite-related discussion.
This week has seen a quite a few Helm Chart updates; element-web got updated to 1.11.3, matrix-media-repo got a Redis usage fix, and matrix-synapse got updated to 1.65.0
Nheko now has some very dirty hack to render spoilers on desktop platforms. This does not show the reason and not work in mobile mode, doesn't hide it from notifications or from the sidebar. But it is at least something. Similarly we tightened what tags we allow when validating the incoming html again. Also, as a small fix, DMs should now also properly start with encryption enabled when started from a profile and there were a few crash fixes when searching for direct chat partners and closing the window too quickly or when a user uploads a device with invalid keys.
Bug fixes and final polishing has been taking place for our βStart DM on first messageβ project. This is where the user receiving a new room invite as a DM will not get the notification until youβve sent a message.
The team is testing embedding Element Call in Element Web, as well as working on other improvements to Video rooms.
The new userβs checklist is live in product. Itβs our first version so let us know what you think!
In labs (you can enable labs features in settings on develop.element.io or on Nightly):
Notifications improvements to Threads are underway. The team has been testing the new MSC and related Proof of Concept (POC) which we think will solve most of the issues with Threads right now.
We did the AppStore review dance and version 1.8.27 is now available. We even got better usage strings out of it.
We now have UI integration and performance tests in ElementX. Even more, theyβre joined by some really nice Screenshot UI tests. Test all the things!
Weβve fixed some small bugs and some not so small ones, coming to an Element close to you early next week. The way things are laid out, you might even see a new feature land π
The new app layout testing session went well and we are looking for more iOS testers for future sessions. If youβd like to help out in future sessions, please join #element-community-testing:matrix.org
We had a very successful testing session with the all new app layout. If youβd like to take part in a future session, join us over at #element-community-testing:matrix.org
This week weβve been working on fixing some FTUE crashes and covering some edge cases. Thanks to the community members submitting bugs and more info - keep it coming!
Weβre investigating reports of missing messages, as well as a bug with the Threads beta where not all 'threaded messages' are showing up in the right placeβ¦
Just pushed another version (2.8.0) of the Ruby Matrix SDK, which drops support for the EoL Ruby 2.6 (and drops a bunch of workarounds for it) in order to support much improved caching of room state data, along with more helper methods and a fix for a floating accessor that didn't get hooked up correctly.
The Matrix Rust SDK team has been busy this week, too. Progress has been made on Siding Sync in particular, the types have been finalised and merged into mainline ruma, and more API has been made accessible via FFI. The new reactive Timeline API has been progressed, it, too, has some FFI definitions now, allowing mobile client to start playing with it. Crypto-JS, too, has progressed, adding support for de/encrypting attachments in an memory efficient fashion. On the crypto-side, the longer on-going refactor and improvements have yielded another few PRs, too, that have successfully merged, while others are still pending reviews. Other than that, we've seen quite a few smaller fixes and improvements, around logging, docs and the examples.
ποΈ Wanna hack on matrix rust? Go check out our help wanted tagged issues and join our matrix channel at Matrix Rust SDK.
This week in the dart SDK we mostly fixed bugs. Many of those are related to call negotiations where streams were closed in the wrong order, not closed at all or in group calls the call never learned about new members or the call_ids would not match. There were also a few fixes to the background thumbnailing support added in 0.11.1, helper methods were added to easily send the right message corresponding to the mimetype of some media and fetching a timeline for some event id should work properly again.
We have some support to mark a room as either a dm or a group using slashcommands now, you have more flexibility when implementing the SSSS Bootstrap now (using the extra Bootstrap parameter in onUpdate() and to round it all off, we now have nice coverage numbers as well as coverage display on merge request diffs.
For more info, check the release notes for 0.11.2, 0.12.0, 0.12.1 and 0.12.2: https://pub.dev/packages/matrix/changelog ;-)
πSix days until Matrix Community Summit Berlin 2022
In less than a week the Matrix Community Summit Berlin is taking place at c-base.
Join us early on Thursday (25th August) for a Barcamp where we will brainstorm, draft and prototype new ideas.
The main conference days are Friday and Saturday (26th and 27th August). We have a schedule all about Matrix hosting, clients and development.
With three simultaneous tracks there sure is something for you to listen to. It's also the perfect place to get to know other community members.
Look forward to talks, workshops, a signing party, a Matrix P2P live test, dinner and barbecue!
We're not planing to stream or record the event. Our focus lies on providing a great in-person activities.
If attendees want to blog or toot/tweet about it, please use the hashtag #MatrixCommunitySummit.
Also, German-speaking folks can look forward to more coverage from the event on my podcast.
https://chrpaul.de/podcast/
Because we've heard about some confusion:
The event is NOT organised by the Matrix Foundation. To minimize the misconception, we've renamed it to the Matrix Community Summit Berlin.
This is an event initiated by Yan, jaller94 and other Matrix enthusiasts. We also organise the Matrix Meetup Berlin.
Have you ever felt lost in the Matrix world? Too many rooms and spaces to manage? Well, back by popular demand (with Timo's blessing), I present, The Room of the Week! Every week we strive to highlight a room or a space that we believe deserves attention for discussing interesting going on across the Matrix Network.
Last week, we were serving coffee, this week, it's tea! Specifically, tea at
Do you prefer sheng or shu puerh? Maybe bit more into lapsang, liuan or perhaps cliff oolongs? Greens or whites? Sencha? Having mood to discuss impact of varios clays and pot shapes? Is it better warm up water in bofura, tetsubin or electric kettle? Simply everything about the tea.
Come join us while the kettle is whistling.
If you have a room you wish to see highlighted, join us at:
https://matrix.to/#/!bIyiUUnriVoHtYzuPS:fachschaften.org?via=chat.shawnsorbom.net&via=matrix.org&via=fachschaften.org
To get your favorite room of the week highlighted.
