v0.4.2

conduwuit

Release 0.4.2

Hi everyone! conduwuit 0.4.2 has been released. This is a relatively huge update along with an upstream security fix which may result in local privilege escalation that primarily impacts public homeservers, and some various new features, performance optimisations, and bug fixes. It is very important to update to the latest as soon as possible if you are hosting a public homeserver, or generally have untrusted users on your server. A few database bugs were also fixed that may clear up various jank.

If you are unable to upgrade your server immediately, a mitigation for the vulnerability is provided below which is registering a fake/shim appservice (!admin appservices register) with the following contents:

id: temp-mitigation
as_token: <CHANGEME>
hs_token: <CHANGEME>
namespaces:
  users:
    - exclusive: true
      regex: "@.*"
  aliases:
    - exclusive: true
      regex: "#.*"
  rooms: []
rate_limited: false
sender_localpart: <CHANGEME>

This fake appservice can be deleted after upgrading to 0.4.2. Change the values to something random.

List of notable changes include:

• "See history" button in Element on state events "view source" to see their history now work
• Fixed 3 long-standing database bugs that resulted in various jank, including room joins issues, federated invites not working fully, member counts being out of sync, some push notification issues, and likely some client room name calculation not working
• Admin commands for viewing some room info such as joined members in a room and seeing the room topic were added
• An experimental implementation of Dendrite's AdminDownloadState (/admin/downloadState/{serverName}/{roomID}) admin API endpoint was added as a debug command to download and use a room's state from a remote server in the room
• UNIX socket support has been fixed and is fully functional now
• conduwuit now logs the client IP on some requests (will be extended more in the future)
• Deactivations now leave all rooms by default (including admin room deactivation), along with removing your display name and profile picture like Synapse
• Fix not allowing various federation endpoints for world readable rooms
• Add guest/unauthenticated user support for TURN (turn_allow_guests) like Synapse
• Add a --force argument for deleting past remote media admin command to skip errors, and fixed a logic bug with it
• Fix emergency password not working
• Log out all sessions of the server service account when emergency password is unset
• Add some additional room alias checks and allow creators to delete their own created room aliases like Synapse
• Add Element spec-compliance client hack for password changes and deactivations not working on legacy Element iOS and Android
• Use a more strict and secure CSP apart of a recent Matrix spec proposal
• conduwuit spec compliance with media on Content-Disposition and Content-Type handling is now corrected
• Remove unnecessary PDU exists check on receiving read receipts, slightly speeding up transaction handling for read receipts
• Fix some edge-case client search bugs
• Disable URL previews by default in new admin room creations
• Add support for listening on multiple addresses similar to listening on multiple ports
• Default to listening on both IPv4 localhost (127.0.0.1) and IPv6 localhost (::1)
• Allow "world readable" read receipt EDUs again
• Fix some potential shutdown hanging issues
• General dependency updates/bumps
• Lots and lots of code cleanups, dedupes, optimisations, refactors, and such

A conduwuit community code of conduct was also added that tailors to at least our Matrix community: https://conduwuit.puppyirl.gay/conduwuit_coc.html

Commit history: v0.4.1...v0.4.2

GitHub Releases | Docker Hub | NixOS

Liberapay | GitHub Sponsors | Ko-fi

Chat with us in #conduwuit:puppygock.gay

v0.4.1

conduwuit

Release 0.4.1

Hi everyone! conduwuit 0.4.1 (and 0.4.0) has been released. The most important change were the various medium and high severity federation security fixes from inherited upstream code. It's strongly recommended users update to 0.4.1 as soon as possible.

These fixes impact the federation endpoints /send_join, /make_join, /send, /send_leave, /make_leave, /invite, and fix indirect bypass of room ACLs, and accepting inbound EDU impersonation such as read receipts, typing indicators, device messages, etc (except e2ee master key). Some Complement tests were also fixed as part of this that were loosely security related.

Due to the volume of fixes, the details and specific changes can be found here: #406

Other various changes in this release include CI/testing and Nix infrastructure improved, io_uring and jemalloc are enabled by default and in static binaries, Complement in CI is now enforcing, some misc logging improvements, and various code simplifications, improvements, removals, etc.

Commit history: v0.3.4...v0.4.1

GitHub Releases | Docker Hub | NixOS

Liberapay | GitHub Sponsors | Ko-fi

Chat with us in #conduwuit:puppygock.gay

v0.3.4

conduwuit

Release 0.3.4

Hi everyone! conduwuit 0.3.4 has been released. This is a small maintenance release in preparation for the upcoming v0.4.0 release later this week. No new features were added.

conduwuit was officially added to Complement, and support for running the Content-Disposition safety tests was added there too. (matrix-org/complement#723)

Through those Complement tests, we found one more edge-case Content-Type being allowed as inline (image/svg+xml) and currently we now pass all 3 Content-Disposition Complement tests after fixing that.

In addition, we now fully distrust the client or remote server's Content-Type for all media (uploads, thumbnails, and downloads) and return what we detected the file is (with a valid fallback to application/octet-stream).

Both of these further improve client security by making sure we detect the true file fully, and we send the correct behaviour to web browsers.

The Debian packaging has been fixed as it's been broken for a while and partially in upstream, some CI improvements were made, and cleaned up some documentation and example configs in our repo.

Commit history: v0.3.3...v0.3.4

GitHub Releases | Docker Hub | NixOS

Liberapay | GitHub Sponsors | Ko-fi

Chat with us in #conduwuit:puppygock.gay

v0.3.3

conduwuit

Release 0.3.3

Hi everyone! conduwuit 0.3.3 has been released. This is a security-enhancement focused release along with lots of bug fixes and a new moderation feature.

List of changes include:

• Send a strong^[1] Content-Security-Policy HTTP header for all conduwuit response headers if not already present
• Send various other security-related HTTP headers such as X-Content-Type-Options: nosniff, X-XSS-Protection: 0^[2], X-Frame-Options: DENY, Origin-Agent-Cluster: ?1^[3], and Permissions-Policy: interest-cohort=(),browsing-topics=()
• Perform additional sanitisation on the filename for the Content-Disposition (this was already being URL-safe encoded, but we perform our own ad-hoc sanitisation for improved security)
• Return inline Content-Disposition based on our own detection of the file type, only return inline on user multi-media MIME types, and not trust the Content-Type header. Always fallback to attachment
• Fix user /report's incorrectly saying you are not in the room
• Fix non-functional unbans due to broken upstream code
• Moderation feature to automatically deactivate the accounts of any users who attempt to join any malicious room based on your global ACLs, banned rooms, etc
• Don't send the avatar_url or user display name on ban events as they may be potentially offensive
• Forget all the rooms when leaving all rooms for a user upon account deactivation
• Resolve various arithmetic and type casting correctness
• Fix user presence statuses showing up as empty strings (noticeable in at least FluffyChat as empty white pills on users)
• Fix incorrect appservice namespace alias check
• Lots and lots of documentation revamps and improvements, also link to transfem.dev's rules document, and add a contributing guide
• Fix using conduwuit on NixOS without flakes
• Enable io_uring/liburing as a default feature for performance improvements
• Bump all the dependencies, and bump the MSRV to 1.77.0

[1]: sandbox; default-src 'none'; font-src 'none'; script-src 'none'; plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self'; frame-ancesors 'none'; (Note this only affects the content being loaded, not what's loading the content. Images should not have permission to execute JavaScript or across same-origin content to attempt XSS)
[2]: Vulnerabilities caused by XSS filtering
[3]: This is a browser sandbox security feature by requesting your browser to render content in their own dedicated isolated process, apart of improved origin isolation

The addition of these security headers such as the CSP are not only apart of Matrix spec as a recommendation, untrusted user-uploaded content should be heavily isolated and sandboxed from, and not allowed any permissions, as a general recommendation (e.g. XMPP's XEP-0363). This is in response to the previous high severity security release to not only retain the filename as apart of the Content-Disposition header for browsers, we can still provide the improved UX of allowing inline Content-Disposition for user multi-media (images, videos, audio, etc) and still make sure the user is as secure as possible from any XSS concerns or exploits via the various HTTP security headers.

Commit history: v0.3.2...v0.3.3

GitHub Releases | Docker Hub | NixOS

Liberapay | GitHub Sponsors | Ko-fi

Chat with us in #conduwuit:puppygock.gay

v0.3.2

This is a security release.

The Content-Disposition HTTP header has always been set to inline which causes untrusted content opened in browsers to be rendered, including HTML files, instead of downloading. This release forces them to all be attachment. This has no impact on Matrix clients.

Users who use a restrictive Content-Security-Policy are not affected by any XSS concerns here.

v0.3.1

conduwuit

Release 0.3.1

Hi everyone! conduwuit 0.3.1 has been released. This is a minor maintenance follow-up to last week's release which was very well received by many new users. This week was mostly cleanup, improvements, and some bug fixes. Some of the changes include:

• Add Complement testing support to CI.
• Optimize RocksDB compaction to further reduce database file count.
• Improve concurrency on single-core systems.
• Fix presence status results from /presence/{userId}/status. (/sync results unaffected).
• Nix flake fixes and improvements; cache dependencies in binary cache and improve build performance.
• Workaround room creation requests with non-spec compliant initial_state bodies (source was an appservice).
• Start uploading container images to GitLab Container Registry.
• Bump all the dependencies everywhere (maintenance)
• General code cleanups, minor optimisations, and maintenance refactors before we transition out of feature-freeze and prepare for the next major release.

GitHub Releases | Docker Hub | NixOS

Liberapay | GitHub Sponsors | Ko-fi

Chat with us in #conduwuit:puppygock.gay

v0.3.0

The "first" official stable tagged release of conduwuit!

what is conduwuit?

conduwuit is a well-maintained, featureful, hard-fork of Conduit with tons of new features, many bug fixes, huge performance improvements, quality of life enhancements, moderation tools, and much more. It's fully database compatible with upstream, no migration path is necessary. You can switch between the two with no issues. Check out the full list of differences and features here! https://conduwuit.puppyirl.gay/differences.html

First ever TWIM post: https://matrix.org/blog/2024/04/26/this-week-in-matrix-2024-04-26/#conduwuit-website