|
| 1 | ++++ |
| 2 | +date = "2025-08-11" |
| 3 | +title = "Security Release" |
| 4 | + |
| 5 | +[taxonomies] |
| 6 | +author = ["Jim Mackenzie, VP Trust & Safety — The Matrix.org Foundation"] |
| 7 | +category = ["Security"] |
| 8 | ++++ |
| 9 | + |
| 10 | +Hi all, |
| 11 | + |
| 12 | +Last month we issued a [Pre-disclosure: Upcoming coordinated security fix for all Matrix server implementations](https://matrix.org/blog/2025/07/security-predisclosure/), describing a coordinated release to fix two high severity protocol vulnerabilities (CVE-2025-49090; the other not yet allocated a CVE). That release is now available as of 17:00 UTC on August 11, 2025. Server updates are now available, and MSCs & spec updates will follow on Thursday, August 14, 2025, bringing us to version 1.16 of the spec later in the month, and introducing room version 12. |
| 13 | + |
| 14 | +<!-- more --> |
| 15 | + |
| 16 | +## What is changing? |
| 17 | + |
| 18 | +Room version 12 includes some changes to the semantics for room creators. Room creators are now privileged over other users in the room as of [MSC4289](https://github.com/matrix-org/matrix-spec-proposals/pull/4289). There is also a new `additional_creators` field in the `m.room.create` event for a room. |
| 19 | + |
| 20 | +The default power level in room v12 for sending `m.room.tombstone` events to upgrade rooms is now 150. This stops normal admins from upgrading the room (and so assuming creator privileges) - instead, a creator has to explicitly boost an admin's power level to 150 in order to let them upgrade the room and effectively assume creator rights going forwards. |
| 21 | + |
| 22 | +Room IDs are now hashes of the `m.room.create` event via [MSC4291](https://github.com/matrix-org/matrix-spec-proposals/pull/4291). This changes the format of the room ID that you are used to seeing, and your Matrix client will need to be updated to handle this new format. |
| 23 | + |
| 24 | +## What do I need to do? |
| 25 | + |
| 26 | +### As a Matrix user |
| 27 | + |
| 28 | +Upgrade your client to the latest version, making sure that it supports room version 12. Check your client’s upgrade notes or documentation for information on room version 12 support. |
| 29 | + |
| 30 | +### As a Matrix server administrator |
| 31 | + |
| 32 | +Upgrade your server software to the latest version, making sure that it supports room version 12. The following implementations are releasing fixes shortly as part of this coordinated update: |
| 33 | + |
| 34 | +* [Conduit](https://conduit.rs/) |
| 35 | +* [Continuwuity](https://continuwuity.org/) |
| 36 | +* [ejabberd](https://www.ejabberd.im/index.html) |
| 37 | +* [Dendrite](https://element-hq.github.io/dendrite/) |
| 38 | +* [Rocket.chat](https://www.rocket.chat/) |
| 39 | +* [Synapse](https://github.com/element-hq/synapse) |
| 40 | +* [Synapse Pro](https://element.io/server-suite/synapse-pro) |
| 41 | +* [Tuwunel](https://github.com/matrix-construct/tuwunel) |
| 42 | + |
| 43 | +For questions around these implementations, please visit their respective support rooms. |
| 44 | + |
| 45 | +Note: Whether or not you need to apply the security updates depends on your homeserver configuration: |
| 46 | + |
| 47 | +* *Single instance, unfederated homeserver* |
| 48 | + You are running a single instance of a Matrix homeserver, and federation is disabled. There is nothing you need to do urgently. |
| 49 | +* *Homeservers operating in a restricted federation* |
| 50 | + Your server(s) are running as part of a restricted federation - i.e. you have mechanisms in place (homeserver configuration, network restrictions etc) that limit which other homeservers your homeservers can talk to. |
| 51 | + * If you *fully trust* all of the homeservers in this restricted federation then there is nothing you need to do urgently. |
| 52 | + * If you *do not fully trust* all of the homeservers in this restricted federation (e.g. if they are run by partners outside of your direct span of control), you should update your server as soon as possible. |
| 53 | +* *Homeservers participating in open, unrestricted federation* |
| 54 | + If your server is participating in an open federation, you should update your server as soon as possible. |
| 55 | + |
| 56 | +### As a room owner or community |
| 57 | + |
| 58 | +If your rooms or spaces federate with untrusted servers, you should **plan** to upgrade your rooms to room version 12. The urgency of this upgrade may depend on your community’s readiness for the changes. At the Foundation, we are aiming to upgrade our rooms in September 2025. There needs to be enough time to allow clients and servers participating in your room to support v12 *before upgrading your room*. |
| 59 | + |
| 60 | +The new version includes some changes to room creator semantics, which means that choosing which user performs the upgrade needs some careful thought. Using a long-lived, trusted account, such as a moderation bot account, is advised. For more detailed advice, two of the Foundation Governing Board working groups — the Trust & Safety Research & Development Working Group, and the Website & Content Working Group — have collaborated on a guide for [upgrading rooms and spaces](https://matrix.org/docs/communities/administration/#room-upgrades) to version 12. That guide will help you to plan your upgrades and to make them happen. |
0 commit comments