🔒 Security

This release addresses a security vulnerability in the bridge. Please update as a matter of urgency. A matrix.org blog post detailing the specifics of the bugs will be available soon.

Mitigation

A new security vulnerability was found in the matrix-appservice-irc bridge, for which we are releasing 0.35.1 as a fix. If you have the provisioning API enabled, this is potentially exploitable, so we advise you to upgrade immediately.

In case you cannot upgrade at the moment, we advise to update your IRC bridge configuration as a mitigation as follows:

• Change user permissions to prevent untrusted users from issuing !plumb commands.
• Disable provisioning if enabled.

You may revert these configuration changes after patching.

Bugfixes

• Prevent possible attack by provisisioning a room with a specific roomID. (#1619)