Announce bridge security updates (#1967)

* Announce bridge security updates * Typo
matrix-org · Jul 31, 2023 · b8b732f · b8b732f
1 parent 8326c33
commit b8b732f
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 3 deletions.
diff --git a/content/blog/2023/07/2023-07-28-postponing-libera-chat-deportalling.md b/content/blog/2023/07/2023-07-28-postponing-libera-chat-deportalling.md
@@ -5,9 +5,6 @@ title = "Postponing the Libera.Chat deportalling"
 [taxonomies]
 author = ["Thib"]
 category = ["Bridges", "Security"]
-
-[extra]
-image = "https://matrix.org/blog/img/mls-matrix.png"
 +++
 
 We have recently announced that [we will be honouring Libera Chat’s request](https://matrix.org/blog/2023/07/deportalling-libera-chat/) to turn off portalled rooms on the Libera.Chat bridge maintained by the Matrix.org Foundation. The changes were originally scheduled to be effective on 31st July. In the meantime, we posted [instructions for people to turn their portalled rooms into plumbed ones](https://matrix.org/blog/2023/07/make-sure-libera-bridge-keeps-working/) so the bridge keeps working for them.

diff --git a/content/blog/2023/07/2023-07-31-bridges-security-updates.md b/content/blog/2023/07/2023-07-31-bridges-security-updates.md
@@ -0,0 +1,36 @@
++++
+date = "2023-07-31T11:40:00Z"
+title = "Bridges Security Update"
+
+[taxonomies]
+author = ["Integrations Team", "Matrix Security Team"]
+category = ["Bridges", "Security"]
++++
+
+
+Today we are announcing security updates for several of our bridges.
+
+* matrix-appservice-irc [1.0.1](https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1) affected by GHSA-vc7j-h8xg-fv5x, GHSA-3pmj-jqqp-2mj3, and GHSA-c7hh-3v6c-fj4q
+* matrix-hookshot [4.4.1](https://github.com/matrix-org/matrix-hookshot/releases/tag/4.4.1) affected by GHSA-vc7j-h8xg-fv5x
+* matrix-appservice-slack [2.1.2](https://github.com/matrix-org/matrix-appservice-slack/releases/tag/2.1.2) affected by GHSA-vc7j-h8xg-fv5x
+
+In addition we have released matrix-appservice-bridge [9.0.1](https://github.com/matrix-org/matrix-appservice-bridge/releases/tag/9.0.1) (and backported to [8.1.2](https://github.com/matrix-org/matrix-appservice-bridge/releases/tag/8.1.2)) which patches GHSA-vc7j-h8xg-fv5x.
+
+All mentioned bridges are affected by a vulnerability in the provisioning interfaces of these bridges. If you are unable to upgrade, please disable provisioning for now (which should be documented in the relevant bridge sample config). 
+
+<!-- more -->
+
+* [IRC bridge config](https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml#L520-L522)
+    * Set `provisioning.enabled` to false.
+* [Slack bridge config](https://github.com/matrix-org/matrix-appservice-slack/blob/a9f555308fb7485ebb1df98e6c327808915f816f/config/config.sample.yaml#L163) 
+    * Set `provisioning.enabled` to false.
+* [Hookshot config](https://github.com/matrix-org/matrix-hookshot/blob/main/config.sample.yml#L192)
+    * Remove the `widgets` resource (NOT provisioning)
+
+The IRC bridge is also affected by two additional vulnerabilities. In this case, we would recommend upgrading **immediately** rather than working around the problems.
+
+Disclosures for these vulnerabilities, as well as CVE numbers will be out in one weeks time (6th)
+
+**We advise to upgrade as soon as possible.**
+
+If you have further questions, please reach out on [[email protected]](mailto:[email protected])