39 lines
1.7 KiB
Markdown
39 lines
1.7 KiB
Markdown
+++
|
|
title = "0.34.0 security release for matrix-appservice-irc (High severity)"
|
|
date = "2022-05-04T11:02:24Z"
|
|
updated = "2022-05-04T09:27:14Z"
|
|
path = "/blog/2022/05/04/0-34-0-security-release-for-matrix-appservice-irc-high-severity"
|
|
|
|
[taxonomies]
|
|
author = ["Tadeusz Sośnierz"]
|
|
category = ["Releases", "Security"]
|
|
+++
|
|
|
|
We've released updates to matrix-appservice-irc and our forked node-irc that it depends on to patch a High security vulnerability.
|
|
It's advised to update to 0.34.0 as soon as possible.
|
|
|
|
The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands
|
|
by having them reply to a maliciously crafted message.
|
|
|
|
Incorrect handling of a CR character allowed for making part of the message be sent to the IRC server verbatim
|
|
rather than as a message to the channel.
|
|
|
|
If you are currently a matrix-appservice-irc user, exercise caution when replying to messages from untrusted participants
|
|
in IRC bridged rooms until your bridge instance has been upgraded.
|
|
|
|
The vulnerability has been patched in node-irc version 1.2.1 and matrix-appservice-irc 0.34.0.
|
|
You can get the release [on Github](https://github.com/matrix-org/matrix-appservice-irc/releases/tag/0.34.0).
|
|
|
|
The bridges running on the Libera Chat, OFTC and other networks bridged by the Matrix.org Foundation have been patched.
|
|
|
|
The vulnerabilities are tracked as [GHSA-37hr-348p-rmf4][appservice-vuln] and
|
|
[GHSA-52rh-5rpj-c3w6][node-irc-vuln].
|
|
|
|
[node-irc-vuln]:
|
|
<https://github.com/matrix-org/node-irc/security/advisories/GHSA-52rh-5rpj-c3w6>
|
|
|
|
[appservice-vuln]:
|
|
<https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-37hr-348p-rmf4>
|
|
|
|
Thank you, [Val Lorentz](https://valentin-lorentz.fr/) for reporting this vulnerability.
|