Ukuchongwa kobuthathaka obuninzi obubeka esichengeni abathengi abaninzi beMatrix

Darkcrizt

Imizuzu ye4

iprotocol yematrix

I-Matrix yiprotocol yemiyalezo evulekileyo yangoko. Yenzelwe ukuvumela abasebenzisi ukuba banxibelelane ngencoko ye-intanethi, ilizwi nge-IP, kunye nencoko yevidiyo.

Kutshanje i abaphuhlisi beqonga unxibelelwano olunatyisiweyos «I-Matrix» ikhuphe isilumkiso malunga nobuthathaka obahlukeneyo ezafunyanwa kwaye bayagxeka kwi-matrix-js-sdk, i-matrix-ios-sdk, kunye nethala leencwadi le-matrix-android-sdk2 elivumela abalawuli beseva ukuba bazenze abanye abasebenzisi kwaye bafunde imiyalezo esuka ekupheleni ukuya ekupheleni kweengxoxo ezifihliweyo (E2EE).

Kuyakhankanywa ukuba ukugqiba ngempumelelo uhlaselo, iseva yasekhaya elawulwa ngabahlaseli kufuneka ifumaneke (iseva yasekhaya: iseva yokugcina imbali yomxhasi kunye neeakhawunti). Ukusetyenziswa koguqulelo oluntsonkothileyo ekupheleni ukuya ekupheleni kwicala lomxhasi aluvumeli umlawuli womncedisi ukuba angenelele kwimiyalezo, kodwa ubuthathaka obuchongiweyo buvumela olu khuseleko ukuba luthintelwe.

Imiba ichaphazela umxhasi we-Element Matrix oyintloko (eyayifudula iyiRiot) yewebhu, idesktop, iOS, kunye ne-Android, kunye neeapps zabathengi beqela lesithathu njengeCinny, Beeper, SchildiChat, Circuli, kunye neSynod.im.

Ubuthathaka abukho kwiilayibrari ze-matrix-rust-sdk, i-hydrogen-sdk, i-Matrix Dart SDK, i-matrix-python, i-matrix-go, kunye ne-matrix-nio, kunye ne-Hydrogen, i-ElementX, i-Nheko, i-FluffyChat, i-Siphon, i-Timmy, Gomuks, kunye nezicelo Pantalaimon.

Qaphela ukuba imiba yobukhali obubalulekileyo yimibandela yophumezo kwi-matrix-js-sdk kunye nezinto eziphuma kuyo, kwaye ayiyomiba yeprotocol kwi-Matrix. Inguqulelo yamva nje yephepha labaphandi siyibone iveza i-Element ngendlela engachanekanga njenge "benchmark Matrix client" kwaye ibhidanisa iimpazamo zokuphunyezwa kobungqongqo obuphantsi kunye nokugxekwa kobungqongqo beprotocol.

Kukho iimeko ezintathu uhlaselo oluphambili:

  1. Umlawuli weseva ye-Matrix unokwaphula ungqinisiso olusekwe kwi-emoji (i-SAS, iMixokelelwane yoQinisekiso olufutshane) ngokusebenzisa imisayino enqamlezileyo kunye nokulinganisa omnye umsebenzisi. Umba ubangelwa kubuthathaka (CVE-2022-39250) kwikhowudi ye-matrix-js-sdk enxulumene nokudityaniswa kokuphathwa kwe-ID yesixhobo kunye nezitshixo zokusayina.
  2. Umhlaseli olawula umncedisi unokuzenza umthumeli omthembileyo kwaye agqithise isitshixo sobuxoki ukuze athintele imiyalezo evela kwabanye abasebenzisi. Umba kungenxa yokuba sesichengeni kwi-matrix-js-sdk (CVE-2022-39251), i-matrix-ios-sdk (CVE-2022-39255), kunye ne-matrix-android-sdk2 (CVE-2022-39248), eyabangela umxhasi wamkela ngokungalunganga imiyalezo ebhekiswa kwizixhobo ezifihliweyo kusetyenziswa iMegolm protocol endaweni ye Olm , inika imiyalezo kumthumeli weMegolm endaweni yomthumeli wokwenene.
  3. Ngokuxhaphaza ubuthathaka obukhankanywe kumhlathi odlulileyo, umlawuli womncedisi unokongeza iqhosha le-dummy spare kwi-akhawunti yomsebenzisi ukukhupha izitshixo ezisetyenziselwa ukufihla imiyalezo.

Abaphandi abachonge ubuthathaka Kwakhona ubonise uhlaselo olongeza umsebenzisi wesithathu kwincoko okanye uqhagamshele isixhobo somntu wesithathu kumsebenzisi. Uhlaselo lusekelwe kwinto yokuba imiyalezo yenkonzo esetyenziselwa ukongeza abasebenzisi kwingxoxo ayidityaniswanga nezitshixo zomdali wengxoxo kwaye inokuveliswa ngumlawuli weseva.

Abaphuhlisi beprojekthi yeMatrix bahlele obu buthathaka buncinci, kuba ezobuqhophololo azenzeki kwi-Matrix kwaye zichaphazela kuphela abathengi abasekwe kwiprothokholi, kodwa oku akuthethi ukuba abayi kuhamba bengaqatshelwa: ukuba umsebenzisi ufakwe endaweni yakhe, iya kuboniswa kuluhlu lwabasebenzisi bengxoxo, kwaye xa idityanisiwe. isixhobo, isilumkiso siya kuboniswa kwaye isixhobo siya kumakishwa njengengangqinisiswanga (kule meko, ngoko nangoko emva kokongeza isixhobo esingagunyaziswanga, siya kuqalisa ukufumana izitshixo zikawonke-wonke ezifunekayo ukuze uguqule imiyalezo.

Uya kuqaphela ukuba i-matrix-rust-sdk, i-hydrogen-sdk, kunye nezinye i-XNUMXnd kunye ne-XNUMXrd isizukulwana se-SDKs azichatshazelwanga ziibhugi kwingcambu yengxaki ebalulekileyo apha. Yiyo loo nto kanye besisebenzela ukubuyisela isizukulwana sokuqala ii-SDKs ngokucocekileyo, uphumezo olubhalwe ngocoselelo lweRust ngohlobo lwe-matrix-rust-sdk, olugqityiweyo ngophicotho-zincwadi lukawonke-wonke oluqhubekayo.

Ubuthathaka bubangelwa bugs kumiliselo ngalunye yeMatrix protocol kunye ayizongxaki zeprotocol ngokwayo. Okwangoku, iprojekthi ikhuphe uhlaziyo lwee-SDK ezinengxaki kunye nezinye zezicelo zabathengi ezakhiwe phezu kwazo.

Ekugqibeleni ewe unomdla wokwazi ngakumbi ngayo, ungazijonga iinkcukacha kwi ukulandela ikhonkco.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.