💾 Archived View for downtime.kirigiri.me › entries › 2024-06-14.gmi captured on 2024-06-16 at 12:01:45. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Machine(s) involved: Europa
Start: Friday 14th June 2024 07:43pm
End: Friday 14th June 2024 07:48pm
Outcome: Success
Conduit 0.8 was switched seamlessly into the place of 0.7, and the service was then restarted after modifying its file to point to the new executable.
An update has been released for Conduit, which is the program which runs the Matrix server I have. Conduit 0.8.0 contains a critical security patch which fixes an exploit that can be used in 0.7.0. This exploit requires someone to have an account on the target server.
While I don't believe anyone who has an account on my server would do this, I would like to upgrade out of caution and also to get a few additions. To quote from the changelog, this is what has changed / been fixed / etc in Conduit 0.8:
This release is focused on patching security vulnerabilities. Most notably, there is a CRITICAL vulnerability, which requires an attacker to have an account on your server. Administrators which have untrusted users on their server (e.g. public homeservers) are advised to update immediately or take their homeserver off the internet ASAP.
Please send @conduit:server.name: help into your admin room. If the Conduit bot does not respond to the command, even after a restart, you have likely been victim of this vulnerability, and should not connect your server to the internet for the time being, even after upgrading. Please contact us privately if you are affected. If the Conduit user does respond to any command, then you are safe to connect your homeserver to the internet after upgrading. We will release further instructions for victims at 2024-06-19, 18:00 UTC. The other vulnerabilities are relatively minor, but we still urge you upgrade as soon as possible.
I can confirm that mtrx.kirigiri.me has NOT been affected by this vulnerability.
And now the actual features that have been added:
Feature: Support for integration managers, as well as anything else that depends on Open ID endpoints, thanks to avdb !681
Feature: Support for hosting .well-known files from Conduit directly, thanks to M0dEx !332
(note: this should make Sliding Sync work out of the box according to the changelog, though I think it's still buggy.)
Allowing for toggling of registration via admin command, without requiring a restart, thanks to rmsthebest in !477
(this originally was only an option you could edit in the configuration file)
Note that this will only impact Conduit for a moment while I swap the old executable for the new one. Mastodon and other services will be unaffected unless everything explodes and the heat death of the universe occurs.