Releases

Hey all,

We’ve just released Matrix 1.5, a largely maintenance update for the spec. We intentionally haven’t landed any major features in this release as Matrix 1.4, just shy of 2 months ago, had introduced fairly large features for clients and servers to consider. As with all spec releases, we encourage implementations to gradually update over the next few months rather than expect them to have support for everything on release day.

Matrix 1.5 sees just 2 MSCs get merged, though this is to be expected from a maintenance release. We expect that the next release (in Q1 2023) will have a few more exciting features to it :)

We’ve covered both MSCs below, but read on to the full changelog for the full picture.

MSC3267: Reference relations

Already supported implicitly by the spec up until now, reference relations are a way to simply reference another event. Usually these sorts of relations are used for events which need to be related to each other, but a dedicated relationship type doesn’t make a lot of sense.

In-room verification and MSC3381: Polls are examples of how these relations get used.

MSC3905: Clarify appservice interest in user IDs

MSC3905 fixes an issue in the specification where appservices (usually bridges) specifying a users regex without homeserver domain would end up receiving far more event traffic than they would have intended. With the MSC, appservices are now only considered interested in “local” users, regardless of how vague their users namespace is.

Overall this should have no effect on most bridges/appservices, however if an appservice in the wild really does need to listen to all users on all homeservers, it can specify a non-exclusive namespace on all rooms instead.

While writing this MSC into the spec we took some time to clarify the appservice registration requirements more generally: check them out here.

The full changelog

MSCs are how the spec changes in the way it does - adding, fixing, and maintaining features for the whole ecosystem to use. Check out the full changelog below, and the Spec Change Proposals page for more information on how these MSCs got merged (hint: they submitted a proposal, which anyone can do - take a look at the Matrix Live episode where Matthew covers the proposal process).

Client-Server API

Backwards Compatible Changes

• Add m.reference relations, as per MSC3267. (#1206)
• Add missing documentation for m.key.verification.request msgtype for in-room verification. (#1271)

Spec Clarifications

• Fix various typos throughout the specification. (#1260, #1265, #1276)
• Fix naming of device_one_time_keys_count in /sync. (#1266)
• Improve display of event subtypes. (#1283)
• Improve documentation about ephemeral events. (#1284)
• Define a 400 response from /_matrix/client/v3/directory/rooms/{roomAlias}. (#1286)
• Clarify parts of the end-to-end encryption sections. (#1294, #1345)
• Various clarifications throughout the specification. (#1306)
• Replace set_sound push rule action by set_tweak. (#1318)
• Clarify the behavior of PUT /_matrix/client/v3/pushrules/{scope}/{kind}/{ruleId}. (#1319)
• Clarify that .m.rule.master has a higher priority than any push rule. (#1320)
• Require request field refresh_token at endpoint POST /_matrix/client/v3/refresh. (#1323)
• Fix a number of broken links in the specification. (#1330)
• Add example read receipt to GET /_matrix/client/v3/sync response example. (#1341)

Server-Server API

Spec Clarifications

• Fix a number of broken links in the specification. (#1330)

Application Service API

Spec Clarifications

• Clarify that application services can only register an interest in local users, as per MSC3905. (#1305)

Identity Service API

Spec Clarifications

• Fix a number of broken links in the specification. (#1330)

Push Gateway API

No significant changes.

Room Versions

Spec Clarifications

• Reword the event auth rules to clarify that users cannot demote other users with the same power level. (#1269)
• Various clarifications to the text on event authorisation rules. (#1270)
• Fix a number of broken links in the specification. (#1330)

Appendices

No significant changes.

Internal Changes/Tooling

Backwards Compatible Changes

• Update docsy theme to v0.5.0 + matrix.org modifications (https://github.com/matrix-org/docsy/commit/a0032f8db919a6c67ba6cdef2c455f105b6272a2). (#1295)

Spec Clarifications

• Improve error messages emitted by resolve-additional-types template. (#1303)
• Fix link to API viewer. (#1308)
• Stop rendering the subsections of the Client-Server API and Room Versions specs as their own separate pages. (#1317)
• Use a link checker to ensure that we do not have broken links. (#1329, #1338)
• Update instructions to preview Swagger definitions. (#1331)
• Make definition anchors more unique. (#1339)
• Generate the unstable changelogs with towncrier, for consistency. (#1340)
• Update CONTRIBUTING.md to mention that non-content changes to this repo should have an "internal" changelog entry. (#1342)
• Update module summary table with new modules: Event Replacements, Threading and Reference Relations. (#1344)
• Disable RSS generation for the spec. (#1346)

Hey everyone, it's time for a new Synapse release! Synapse 1.69 is out, fresh out of the oven. But before we take a look at it, here's a quick announcement:

We have recently disclosed a moderate severity security vulnerability, which was fixed in Synapse 1.62 (released on July 5th 2022). This issue affects all homeservers running a version of Synapse older than 1.62 with open federation. If this is the case for your deployment, please update to a more recent version of Synapse at your earliest convenience.

See advisory GHSA-jhjh-776m-4765 and CVE-2022-31152 for more information.

Now let's see what's new in Synapse 1.69!

Continue reading…

Hey all,

It’s finally here: threads, edits, and private read receipts. v1.4 has been a little later than usual in the quarter because we wanted to make sure we nailed down all the core MSCs for threads before publishing the spec itself, but we’ve done that now and we’re excited about it.

Continue reading…

We're excited to announce the first tech preview of Third Room, an open, standards-based, decentralised vision of the metaverse for the open Web, built entirely on Matrix… without cryptocurrencies, NFTs or walled gardens.

To see what it's all about, head over to https://thirdroom.io/preview - or come chat in #thirdroom-dev:matrix.org to learn more!

Hey everyone, it's time for a new Synapse release! Synapse 1.68 just dropped, let's have a look at what's inside.

Continue reading…

It's that time again - Synapse release time! Synapse 1.67 is fresh out of the oven, let's have a look at what's inside.

Continue reading…

We've released a new version of matrix.org's node-irc 1.3.0 and matrix-appservice-irc 0.35.0, to patch several security issues:

• IRC mode operator confusion (Low, GHSA-cq7q-5c67-w39w)
• Parsing issue leading to room takeovers (High, GHSA-xvqg-mv25-rwvw)
• Undisclosed issue (Moderate, GHSA-r3p6-cg2c-c4qw)

The details of the final vulnerability will be released at a later date, pending an audit of the codebase to ensure it's not affected by other similar vulnerabilities.

The vulnerabilities have been patched in node-irc version 1.3.0 and matrix-appservice-irc 0.35.0. You can get the release on Github.

The bridges running on the Libera Chat, OFTC and other networks bridged by the Matrix.org Foundation have been patched.

Please upgrade your IRC bridge as soon as possible.

The above vulnerabilities were reported by Val Lorentz. Thank you!

Hey all, we've just released Synapse 1.66! Let's have a look at what's inside this release.

Continue reading…

Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk to patch a couple of High severity vulnerabilities (reserved as CVE-2022-36059 for the matrix-js-sdk and CVE-2022-36060 for the matrix-react-sdk).

Affected clients include those which depend on the affected libraries, such as Element Web/Desktop and Cinny. Releases of the affected clients will follow shortly. We advise users of those clients to upgrade at their earliest convenience.

The vulnerabilities give an adversary who you share a room with the ability to carry out a denial-of-service attack against the affected clients, making it not show all of a user's rooms or spaces and/or causing minor temporary corruption.

The full vulnerability details will be disclosed at a later date, to give people time to upgrade and us to perform a more thorough audit of the codebase.

Note that while the vulnerability was to our knowledge never exploited maliciously, some unintentional public testing has left some people affected by the bug. We made a best effort to sanitize this to stop the breakage. If you are affected, you may still need to clear the cache and reload your Matrix client for it to take effect.

We thank Val Lorentz who discovered and reported the vulnerability over the weekend.

Hey everyone! We've just released Synapse 1.65! Let's have a peek at what's inside.

Private read receipts

A feature that the more privacy-focused users of Matrix have been missing was the ability to hide read receipts from other users. Read receipts in rooms can tell a user which messages another user has read in a room. However, they can also be an unwelcome indicator that a user is currently reading a certain room, thus giving away the user's activity on Matrix at a given time.

Hiding one's read receipts from other Matrix users is unfortunately not as straightforward as simply preventing a client from sharing read receipts with the server. This is because read receipts are also used by Matrix homeservers to calculate how much of a room a user has read, and generate notification counts for rooms accordingly.

Synapse 1.65 introduces stable support for private read receipts. This feature, described by MSC2285, allows clients to send a different type of read receipt to the server. This then tells the homeserver to use this piece of information to update the user's notification counts, but not to share it with other users.

Improved room management APIs for modules

This version of Synapse includes two new module API methods to help Synapse modules interact and manage rooms. The first one, lookup_room_alias, allows modules to retrieve the room ID corresponding to a given room alias. This works both for local and remote aliases. The second one, create_room, allows modules to create new rooms on behalf of an existing user.

The update_room_membership method has also been updated in this release of Synapse to allow modules to join a room the server is not already in via federation. This can be done by using the new remote_room_hosts argument, which takes a list of homeservers to try to join via.

Everything else

Synapse 1.65 stabilises the implementation of MSC3827, which allows filtering public room searches on room types. This means it is now possible to search specifically for public spaces. For more information on this feature, see the Synapse 1.63 announcement.

Additionally, Synapse 1.65 implements the new experimental error codes documented by MSC3848. Once stabilised, these error codes will allow clients to show more specific errors to their users about why an event could not be sent.

See the full changelog for a complete list of changes in this release.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including (in no particular order) Beeper, andrewdoh, Julian-Samuel Gebühr and Dirk Klimpel, as well as anyone helping us make Synapse better by sharing their feedback and reporting issues.