From 4cf59098adafe1227eb4249d4d12efda0102f9b5 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sun, 28 Jun 2020 21:47:19 +0200 Subject: [PATCH 1/2] Update ma1sd to v2.4.0 --- roles/matrix-ma1sd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 64cf7c9a0..9e21d862d 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -5,7 +5,7 @@ matrix_ma1sd_enabled: true matrix_ma1sd_container_image_self_build: false -matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.3.0" +matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.4.0" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" From 0162fe31d151ca5a82555ffb5e5465df3d88a19e Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sun, 28 Jun 2020 21:47:39 +0200 Subject: [PATCH 2/2] Re-enable ma1sd user directory search --- CHANGELOG.md | 12 ++++++++++++ group_vars/matrix_servers | 5 +---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 799ac45e4..41a781dcd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2020-06-28 + +## (Post Mortem / fixed Security Issue) Re-enabling User Directory search powered by the ma1sd Identity Server + +User Directory search requests used to go to the ma1sd identity server by default, which queried its own stores and the Synapse database. + +ma1sd's [security issue](https://github.com/ma1uta/ma1sd/issues/44) has been fixed in version `2.4.0`, with [this commit](ma1uta/ma1sd@2bb5a734d11662b06471113cf3d6b4cee5e33a85). `ma1sd 2.4.0` is now the default version for this playbook. For more information on what happened, please check the mentioned issue. + +We are re-enabling user directory search with this update. Those who would like to keep it disabled can use this configuration: `matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false` + +As always, re-running the playbook is enough to get the updated bits. + # 2020-06-11 ## SMS bridging requires db reset diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 914d53c85..85dab4dd2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -646,10 +646,7 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" -# Not proxying the user directory search to the identity server by default anymore, -# because it currently leaks data. -# See: https://github.com/ma1uta/ma1sd/issues/44 -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"