conduwuit

Release 0.4.2

Hi everyone! conduwuit 0.4.2 has been released. This is a relatively huge update along with an upstream security fix which may result in local privilege escalation that primarily impacts public homeservers, and some various new features, performance optimisations, and bug fixes. It is very important to update to the latest as soon as possible if you are hosting a public homeserver, or generally have untrusted users on your server. A few database bugs were also fixed that may clear up various jank.

If you are unable to upgrade your server immediately, a mitigation for the vulnerability is provided below which is registering a fake/shim appservice (!admin appservices register) with the following contents:

id: temp-mitigation
as_token: <CHANGEME>
hs_token: <CHANGEME>
namespaces:
  users:
    - exclusive: true
      regex: "@.*"
  aliases:
    - exclusive: true
      regex: "#.*"
  rooms: []
rate_limited: false
sender_localpart: <CHANGEME>

This fake appservice can be deleted after upgrading to 0.4.2. Change the values to something random.

List of notable changes include:

• "See history" button in Element on state events "view source" to see their history now work
• Fixed 3 long-standing database bugs that resulted in various jank, including room joins issues, federated invites not working fully, member counts being out of sync, some push notification issues, and likely some client room name calculation not working
• Admin commands for viewing some room info such as joined members in a room and seeing the room topic were added
• An experimental implementation of Dendrite's AdminDownloadState (/admin/downloadState/{serverName}/{roomID}) admin API endpoint was added as a debug command to download and use a room's state from a remote server in the room
• UNIX socket support has been fixed and is fully functional now
• conduwuit now logs the client IP on some requests (will be extended more in the future)
• Deactivations now leave all rooms by default (including admin room deactivation), along with removing your display name and profile picture like Synapse
• Fix not allowing various federation endpoints for world readable rooms
• Add guest/unauthenticated user support for TURN (turn_allow_guests) like Synapse
• Add a --force argument for deleting past remote media admin command to skip errors, and fixed a logic bug with it
• Fix emergency password not working
• Log out all sessions of the server service account when emergency password is unset
• Add some additional room alias checks and allow creators to delete their own created room aliases like Synapse
• Add Element spec-compliance client hack for password changes and deactivations not working on legacy Element iOS and Android
• Use a more strict and secure CSP apart of a recent Matrix spec proposal
• conduwuit spec compliance with media on Content-Disposition and Content-Type handling is now corrected
• Remove unnecessary PDU exists check on receiving read receipts, slightly speeding up transaction handling for read receipts
• Fix some edge-case client search bugs
• Disable URL previews by default in new admin room creations
• Add support for listening on multiple addresses similar to listening on multiple ports
• Default to listening on both IPv4 localhost (127.0.0.1) and IPv6 localhost (::1)
• Allow "world readable" read receipt EDUs again
• Fix some potential shutdown hanging issues
• General dependency updates/bumps
• Lots and lots of code cleanups, dedupes, optimisations, refactors, and such

A conduwuit community code of conduct was also added that tailors to at least our Matrix community: https://conduwuit.puppyirl.gay/conduwuit_coc.html

Commit history: v0.4.1...v0.4.2

GitHub Releases | Docker Hub | NixOS

Liberapay | GitHub Sponsors | Ko-fi

Chat with us in #conduwuit:puppygock.gay