handle Matrix federation security issue and room upgrades
There's been some big noises from Matrix.org this week:
https://matrix.org/blog/2025/07/security-predisclosure/
It seems like:
- on July 22nd, all Matrix servers should upgrade to latest
- starting from July 22nd, room admins must upgrade their rooms to v12
The impact is unclear, they say:
Only rooms which include users on potentially malicious servers (e.g. publicly joinable rooms on untrusted federations) are vulnerable.
and:
these are not Critical Severity vulnerabilities, there is no requirement for room admins to upgrade rooms immediately on Jul 22nd
It's unclear what the actual vulnerability is, but the above announcement mentions something about "scenarios where Matrix’s state resolution algorithm can give unexpected results".
The fix seems rather radical:
room creators effectively have infinite power level
This is going to be particularly chaotic for us as rooms were created by pretty much whoever.
Assigning to @ahf and @micah since I'm going AFK for three weeks and they're the other two "root" users on Matrix.
The debian.social folks have been notified as well, and I assume they will take the necessary precautions, but I haven't got confirmation. Ping them on #debian-social
/ OFTC to confirm.
rooms to upgrade
-
!4NWx_HQ0lKMQv0MHqcjLPJuZ6idiVhhXvOCFfD-770E -
"moderation" !aFpeGBiSsgnBlqHTcP:madduck.net (dead) -
#arti-onion-svc-tooling:matrix.org !GcLwXdUaQiQBuRhZRU:matrix.org -
#cakeorpie:matrix.org !oYgyLUfxcwLccMNubm:matrix.org 🚨 had trouble, should be resolved, see #42240 (comment 3257876) -
"tor internal space" !PkrCQmUfrBliNfyqkg:matrix.org (N/A?) -
#tails-dev-internal:matrix.org !TvqWBqXjVannVMhmki:matrix.org -
#tails-dev:matrix.org !KCVzziPJcvSYfqNaER:matrix.org (not bridged!) -
#tor-admin:matrix.org !z8zYrmVWw8e2FqCiqxTWxvs_8UauN7DNSZoPHjjm3O4 -
#tor-alerts:matrix.org !vfztBVVeDRYJccNtdz:matrix.org -
#tor-anticensorship:matrix.org !jRxGDjXjyTpKaJypgV:matrix.org ⚠️ 8/204 users unsupported or unknown (4%) -
#tor-bad-relays:matrix.org !XAFfZYrSArZHRGGNcy:matrix.org -
#tor-bots:matrix.org !GBZFwXbzVOHFMTZNjK:matrix.org -
#tor-browser-dev:matrix.org !jfSTwutRzJgbhOjgXv:matrix.org -
#tor-dev:matrix.org !hNphRlWKcRVXnwAWJy:matrix.org ⚠️ 19/983 users unsupported or unknown (2%) -
#tor-internal:matrix.org !kSemheZJSaMFRYUQMy:matrix.org -
#tor-l10n:matrix.org !eXSAdLkkydtyWPCxwu:matrix.org ⚠️ 5/160 users unsupported or unknown (3%) -
#tor-matrix-admin:matrix.org !ngBwTgkyMImvlElhcQ:matrix.org -
#tor:matrix.org !REMyNDGslqLUQnGoxg:matrix.org ⚠️ 122/2782 users unsupported or unknown (4%) -
#tor-matrix-test:matrix.debian.social !OfrOiBoLaIONBJIRpY:matrix.org -
#tor-meeting:matrix.org !ZzJuMwyzqCQoldAycg:matrix.org ⚠️ 4/228 users unknown (1%) -
#tor-network-health:matrix.org !usZTVBPpSYBAwYriUJ:matrix.org -
#tor-project:matrix.org !WErfqWFuqClbkBxThW:matrix.org ⚠️ 74/3397 users unsupported or unknown (2%) -
#tor-relays:matrix.org !JSrNheIGoJcqBNpmiK:matrix.org ⚠️ 544 unknown, 9 unsupported out of 738 users (!! 75%! 1% unsupported, but 74% unknown!) -
#tor-south:matrix.org !serxsnesrIReEpfgdN:matrix.org ⚠️ 4/141 unknown or unsupported (3%) -
#tor-space:matrix.org !NYoVfrhaUNDdVaEYsn:matrix.org (N/A?) -
#tor-ux:matrix.org !BVISXmIJfYibljSXNs:matrix.org ⚠️ 1/149 unsupported (1%) -
#tor-vpn:matrix.org !VCzbomHQpQuMdsPSWu:matrix.org ⚠️ 4/132 unsupported or unknown (3%) -
#tor-www-bots:matrix.org !LpnGViCmMNjJYTXwjF:matrix.org -
#tor-www:matrix.org !qyImLEShVvoqqhuASk:matrix.org ⚠️ 2/140 unsupported or unknown (1%)
In total, it looks like, in problematic rooms, we have 252 users out of 8860, or 3% of users that are negatively affected by the change. I did not check globally, but the remaining rooms are rather small and shouldn't change the ratio that much. At most we'd go down to 2% affected users.