handle Matrix federation security issue and room upgrades
There's been some big noises from Matrix.org this week:
https://matrix.org/blog/2025/07/security-predisclosure/
It seems like:
- on July 22nd, all Matrix servers should upgrade to latest
- starting from July 22nd, room admins must upgrade their rooms to v12
The impact is unclear, they say:
Only rooms which include users on potentially malicious servers (e.g. publicly joinable rooms on untrusted federations) are vulnerable.
and:
these are not Critical Severity vulnerabilities, there is no requirement for room admins to upgrade rooms immediately on Jul 22nd
It's unclear what the actual vulnerability is, but the above announcement mentions something about "scenarios where Matrix’s state resolution algorithm can give unexpected results".
The fix seems rather radical:
room creators effectively have infinite power level
This is going to be particularly chaotic for us as rooms were created by pretty much whoever.
Assigning to @ahf and @micah since I'm going AFK for three weeks and they're the other two "root" users on Matrix.
The debian.social folks have been notified as well, and I assume they will take the necessary precautions, but I haven't got confirmation. Ping them on #debian-social
/ OFTC to confirm.