Kutholwe ubungozi obuningana obubeka engcupheni amakhasimende amaningi e-Matrix

Darkcrizt

Imizuzu ye-4

Iphrothokholi ye-matrix

I-Matrix iyiphrothokholi yemiyalezo esheshayo evulekile. Iklanyelwe ukuvumela abasebenzisi ukuthi baxhumane ngengxoxo ye-inthanethi, ngezwi nge-IP, nengxoxo yevidiyo.

Muva nje i- abathuthukisi bepulatifomu ezokuxhumana ezihlukenes «I-Matrix» ikhiphe isexwayiso mayelana nokuba sengozini okuhlukahlukene ezatholwa futhi bayagxeka Kulabhulali ye-matrix-js-sdk, matrix-ios-sdk, kanye ne-matrix-android-sdk2 evumela abalawuli beseva ukuze bazenze abanye abasebenzisi futhi bafunde imilayezo esuka ezingxoxweni ezibethelwe ngasemaphethelweni (E2EE).

Kushiwo lokho ukuqedela ngempumelelo ukuhlasela, iseva yasekhaya elawulwa abahlaseli kufanele ifinyelelwe (iseva yasekhaya: iseva yokugcina umlando weklayenti nama-akhawunti). Ukusetshenziswa kokubethela ngasemaphethelweni ohlangothini lweklayenti akuvumeli umlawuli weseva ukuthi angenele ekulayezeni, kodwa ubungozi obuhlonziwe buvumela lokhu kuvikela ukuthi kweqe.

Izinkinga zithinta iklayenti eliyinhloko le-Element Matrix (owayekade eyi-Riot) yewebhu, ideskithophu, i-iOS, ne-Android, kanye nezinhlelo zokusebenza zeklayenti lezinkampani zangaphandle ezifana noCinny, Beeper, SchildiChat, Circuli, kanye ne-Synod.im.

Ubungozi abubonakali kulabhulali i-matrix-rust-sdk, hydrogen-sdk, Matrix Dart SDK, mautrix-python, mautrix-go, ne-matrix-nio, kanye ne-Hydrogen, ElementX, Nheko, FluffyChat, Siphon, Timmy, Gomuks, futhi Pantalaimon izicelo.

Qaphela ukuthi izinkinga ezibucayi ezibucayi ziyizinkinga zokusetshenziswa ku-matrix-js-sdk nokuphuma kokunye, futhi akuzona izinkinga zephrothokholi ku-Matrix. Inguqulo yakamuva yephepha labacwaningi esiyibonile iveza i-Element ngendlela engalungile "njengeklayenti le-Matrix lokumaki" futhi idida amaphutha okusebenzisa ukuqina okuphezulu nokugxekwa kwephrothokholi yokuqina okuphansi.

Kunezimo ezintathu ukuhlasela okukhulu:

  1. Umlawuli weseva ye-Matrix angakwazi ukwephula ukuqinisekiswa okusekelwe ku-emoji (SAS, Amaketanga Okuqinisekisa Amafushane) ngokusebenzisa amasiginesha ahlukene nokuzenza omunye umsebenzisi. Inkinga ibangelwa ukuba sengozini (CVE-2022-39250) kukhodi ye-matrix-js-sdk ehlobene nenhlanganisela yokuphathwa kwe-ID yedivayisi nokhiye bokusayina.
  2. Umhlaseli olawula iseva angakwazi ukuzenza umthumeli othembekile futhi adlulise ukhiye mbumbulu ukuze abambe imilayezo evela kwabanye abasebenzisi. Inkinga ingenxa yokuba sengozini ku-matrix-js-sdk (CVE-2022-39251), i-matrix-ios-sdk (CVE-2022-39255), kanye ne-matrix-android-sdk2 (CVE-2022-39248), okubangele the Iklayenti lamukela ngokungalungile imilayezo eqondiswe kumadivayisi abethelwe kusetshenziswa iphrothokholi ye-Megolm esikhundleni se-Olm , ichaza imilayezo kumthumeli we-Megolm esikhundleni somthumeli wangempela.
  3. Ngokuxhaphaza ubungozi obushiwo esigabeni sangaphambilini, umlawuli weseva angakwazi futhi ukwengeza ukhiye oyidummy oyisipele ku-akhawunti yomsebenzisi ukuze akhiphe okhiye abasetshenziselwa ukubethela imilayezo.

Abacwaningi abahlonze ukuba sengozini iphinde yabonisa ukuhlasela okwengeza umsebenzisi wenkampani yangaphandle engxoxweni noma xhuma idivayisi yenkampani yangaphandle kumsebenzisi. Ukuhlasela kusekelwe eqinisweni lokuthi imilayezo yesevisi esetshenziselwa ukwengeza abasebenzisi engxoxweni ayixhunyanisiwe nokhiye bomdali wengxoxo futhi ingakhiqizwa umlawuli weseva.

Abathuthukisi bephrojekthi ye-Matrix bahlukanise lobu bungozi njengobuncane, njengoba ukukhohlisa okunjalo kungekona okungokwemvelo ku-Matrix futhi kuthinta kuphela amaklayenti ngokusekelwe kumthetho olandelwayo, kodwa lokhu akusho ukuthi ngeke kuqashelwe: uma kushintshwa umsebenzisi, kuzoboniswa ohlwini lwabasebenzisi bengxoxo, futhi lapho sengezwe. idivayisi, isexwayiso sizovezwa futhi idivayisi izomakwa njengengaqinisekisiwe (kulokhu, ngokushesha ngemva kokwengeza idivayisi engagunyaziwe, izoqala ukuthola okhiye basesidlangalaleni abadingekayo ukuze kususwe ukubethela imilayezo.

Uzoqaphela ukuthi i-matrix-rust-sdk, i-hydrogen-sdk, namanye ama-SDK esizukulwane sesi-XNUMX nesesithathu awathintwanga iziphazamisi kumsuka wezinkinga ezibucayi lapha. Yingakho nje kade sisebenzela ukumiselela ama-SDK esizukulwane sokuqala ngokusetshenziswa okuhlanzekile, okubhalwe ngokucophelela kwe-Rust ngendlela ye-matrix-rust-sdk, egcwaliswe ngocwaningomabhuku oluzimele oluqhubekayo.

Ubungozi bubangelwa iziphazamisi ekusebenziseni ngakunye ye-Matrix protocol kanye akuzona izinkinga zephrothokholi ngokwayo. Okwamanje, iphrojekthi ikhiphe izibuyekezo zama-SDK anenkinga nezinye izinhlelo zokusebenza zeklayenti ezakhelwe phezu kwawo.

Ekugcineni yebo unentshisekelo yokwazi okwengeziwe ngayo, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.