Update matrix-js-sdk to v24.0.0
Categories
(Chat Core :: Matrix, defect)
Tracking
(thunderbird_esr102 fixed, thunderbird111 wontfix, thunderbird112 fixed, thunderbird113 fixed)
People
(Reporter: clokep, Assigned: clokep)
References
()
Details
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
wsmwk
:
approval-comm-esr102+
|
Details | Review |
This was prediclosed a few minutes ago:
I’m writing to inform you that we will be releasing high severity security releases of matrix-js-sdk, matrix-react-sdk, element-web and element-desktop next Wednesday (2023-03-22) around 16:00 UTC. We’d like to do a co-ordinated release to minimise the unpatched window.
We’re planning on sharing the patches with you around 08:00 UTC on the day of the release. The patches must be treated as confidential (TLP:RED) until the release time, when the embargo ends.
The security release should be publicly pre-announced on Friday (2023-03-17). Before that, the fact that a security release is happening should only be shared on a need-to-know basis to help with co-ordinating the release (TLP:AMBER).
We'll likely want to uplift to both ESR & beta.
Note that they're both matrix-js-sdk v21.0.0 (see bug 1799705).
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 1•2 years ago
|
||
A bit more info after prompting:
The issues affect matrix-js-sdk and matrix-react-sdk. There are no CVE numbers yet, but they've been requested and we'll provide them here once they're allocated.
The fixed version numbers should be 23.6.0 for matrix-js-sdk and 3.69.0 for matrix-react-sdk (provided we don't need to do a hotfix release in the meantime for unrelated reasons).
And finally: impact should be restricted to denial of service, but we cannot rule out control flow alteration completely (even though it's not been demonstrated), and hence the high severity.
I can write up the MFSA once we have a CVE number (and a bit more info, hopefully).
|
|
Assignee | |
Comment 2•2 years ago
|
||
This delayed until next week (Tuesday 28th March):
Hi @room, regarding the planned security release: we are delaying the release until Tuesday 28th March. Apologies for the change of schedule and the inconvenience it will cause you. We have a couple of staff who are unavoidably away this week, so this delay allows us to make certain we have the right people available, and hopefully makes it easier for you to get prepared.
The timetable for the day remains the same: 08:00 UK time we will release patches here, and then 16:00 UK time we will make the public release and announcement.
|
|
Assignee | |
Comment 3•2 years ago
|
||
Bug 1823743 should update us to the current latest version to make the diff smaller.
|
||
Comment 4•2 years ago
|
||
I think by the 28th the UK will have switched to summer time, so these are no longer UTC times, instead they are UTC+1.
|
|
Assignee | |
Comment 5•2 years ago
|
||
This will be CVE-2023-28427; no additional information has currently been released.
Based on https://wiki.mozilla.org/Security_Severity_Ratings/Client and what we've been told (note this being a continuation of the fixes in matrix-js-sdk v20.0.0 / bug 1791765) I suspect we should call this sec-high due to potential for control flow alteration; some suggested advisory text:
CVE-2023-28427:
title: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack
impact: high
publish: false
description: |
Thunderbird users who use the Matrix chat protocol were vulnerable to a denial-of-service attack.
bugs:
- url: 1822595
I'm expecting a blog post or some other information tomorrow so can likely update this to be more specific but so far we don't know reporter or any additional impact. The previous DoS we called sec-moderate (bug 1787741), so maybe downgrade it to that?
|
|
Assignee | |
Comment 6•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 7•2 years ago
|
||
I tested the above patch
|
||
Comment 8•2 years ago
|
||
|
|
Assignee | |
Comment 9•2 years ago
|
||
More info got published:
Element Web v1.11.26 is here!
This is a security release to address two high severity issues that affect Element Web’s dependencies, matrix-js-sdk (CVE-2023-28427, GHSA-mwq8-fjpf-c2gr) and matrix-react-sdk (CVE-2023-28103, GHSA-6g43-88cp-w5gv).
The issues involve “prototype pollution” - events sent with special strings in key places can temporarily disrupt or impede matrix-js-sdk and matrix-react-sdk from functioning properly, potentially impacting the consumer's ability to process data safely.
Check it out at app.element.io, or from Docker Hub.
The builds of Element Desktop are not quite ready yet, but they are coming very soon.
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr
|
|
Assignee | |
Comment 10•2 years ago
|
||
Comment on attachment 9325437 [details]
Bug 1822595 - Update matrix-js-sdk to v24.0.0. r=rjl
[Approval Request Comment]
Regression caused by (bug #): N/A
User impact if declined: Security issue in matrix-js-sdk
Testing completed (on c-c, etc.): Ensured account setup and message sending/receiving works (including in encrypted rooms), unit tests and linting worked on c-c. Patch applied cleanly on comm-esr102 (after the backport of bug 1799705).
Risk to taking this patch (and alternatives if risky): Low risk, changes are internal to the SDK and don't affect external API we use.
|
||
Comment 11•2 years ago
|
||
Comment on attachment 9325437 [details]
Bug 1822595 - Update matrix-js-sdk to v24.0.0. r=rjl
[Triage Comment]
Approved for beta
APproved for esr102
|
|
||
Comment 12•2 years ago
|
||
Thunderbird 102.9.1:
https://hg.mozilla.org/releases/comm-esr102/rev/a8965ef0b307
|
|
||
Comment 13•2 years ago
|
||
Thunderbird 112.0b5:
https://hg.mozilla.org/releases/comm-beta/rev/2e876bf4a9cf
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 14•1 year ago
|
||
I think this can be opened up now -- details have been known for a long time (see the linked blog post from matrix.org) and this was fixed before Thunderbird 115 (current ESR) was released.
|
||
Updated•1 year ago
|
Description
•