t2bot/matrix-media-repo v1.3.8

on GitHub

Security

• Limit untrusted decoders during thumbnailing (GHSA-rcxc-wjgw-579r / CVE-2024-56515)
• Improve handling of JSON (GHSA-gp86-q8hg-fpxj / CVE-2024-52791)
• Fix SSRF issues (GHSA-r6jg-jfv6-2fjv / CVE-2024-52602)

Added

• Allow guests to access uploaded media, as per MSC4189.
• The thumbnailer can now be run independently with the thumbnailer binary. See thumbnailer -help for details.

Changed

• MMR now requires Go 1.22 for compilation.
• MMR now builds on a base image of alpine:3.21.
• The global repo.freezeUnauthenticatedMedia option now defaults to true, enabling authenticated media by default. A future release will remove this option, requiring the freeze behaviour. See config.sample.yaml for details.
• For SVG and JPEGXL files, ImageMagick 7 is now required.
• For MP4 files, ffmpeg 6 or 7 (use 7 for best results) is now required.

Fixed

• Return a 404 instead of 500 when clients access media which is frozen.
• Return a 403 instead of 500 when guests access endpoints that are for registered users only.
• Ensure the request parameters are correctly set for authenticated media client requests.
• Ensure remote signing keys expire after at most 7 days.
• Fixed parsing of Authorization headers for federated servers.
• Ensure ignoredHosts is applied to unauthenticated requests.