From d35d6f253b6d9cbf04976a32d3be3dc41423a967 Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 24 Feb 2021 17:35:58 +0000 Subject: [PATCH 1/8] Upgrade matrix-js-sdk to 9.8.0-rc.1 --- package.json | 2 +- yarn.lock | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index 99ab4cf3c6..d1836021c1 100644 --- a/package.json +++ b/package.json @@ -58,7 +58,7 @@ "highlight.js": "^10.5.0", "jsrsasign": "^10.1.5", "katex": "^0.12.0", - "matrix-js-sdk": "github:matrix-org/matrix-js-sdk#develop", + "matrix-js-sdk": "9.8.0-rc.1", "matrix-react-sdk": "github:matrix-org/matrix-react-sdk#develop", "matrix-widget-api": "^0.1.0-beta.13", "olm": "https://packages.matrix.org/npm/olm/olm-3.2.1.tgz", diff --git a/yarn.lock b/yarn.lock index 923b33f3fb..7ea9b23abf 100644 --- a/yarn.lock +++ b/yarn.lock @@ -7506,6 +7506,21 @@ mathml-tag-names@^2.1.3: resolved "https://registry.yarnpkg.com/mathml-tag-names/-/mathml-tag-names-2.1.3.tgz#4ddadd67308e780cf16a47685878ee27b736a0a3" integrity sha512-APMBEanjybaPzUrfqU0IMU5I0AswKMH7k8OTLs0vvV4KZpExkTkY87nR/zpbuTPj+gARop7aGUbl11pnDfW6xg== +matrix-js-sdk@9.8.0-rc.1: + version "9.8.0-rc.1" + resolved "https://registry.yarnpkg.com/matrix-js-sdk/-/matrix-js-sdk-9.8.0-rc.1.tgz#229122583bec5971f22a423a4a40d749e07602d9" + integrity sha512-Tmo5cdyBBgYcMZMaAavEvtdCsEwr5sYE0RLd6etLOSTxmGRSYpqKvvKQqGsYrogmZYNbx9nNZYYYV2aJkCKcQg== + dependencies: + "@babel/runtime" "^7.12.5" + another-json "^0.2.0" + browser-request "^0.3.3" + bs58 "^4.0.1" + content-type "^1.0.4" + loglevel "^1.7.1" + qs "^6.9.6" + request "^2.88.2" + unhomoglyph "^1.0.6" + "matrix-js-sdk@github:matrix-org/matrix-js-sdk#develop": version "9.7.0" resolved "https://codeload.github.com/matrix-org/matrix-js-sdk/tar.gz/c82bc35202f93efa2cb9b27b140f83df37c64ab2" From c3c1a5da8d017d7667cc44caea256079eb9db68c Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 24 Feb 2021 17:36:33 +0000 Subject: [PATCH 2/8] Upgrade matrix-react-sdk to 3.15.0-rc.1 --- package.json | 2 +- yarn.lock | 23 +++++------------------ 2 files changed, 6 insertions(+), 19 deletions(-) diff --git a/package.json b/package.json index d1836021c1..788d942636 100644 --- a/package.json +++ b/package.json @@ -59,7 +59,7 @@ "jsrsasign": "^10.1.5", "katex": "^0.12.0", "matrix-js-sdk": "9.8.0-rc.1", - "matrix-react-sdk": "github:matrix-org/matrix-react-sdk#develop", + "matrix-react-sdk": "3.15.0-rc.1", "matrix-widget-api": "^0.1.0-beta.13", "olm": "https://packages.matrix.org/npm/olm/olm-3.2.1.tgz", "prop-types": "^15.7.2", diff --git a/yarn.lock b/yarn.lock index 7ea9b23abf..b1ac4e61b9 100644 --- a/yarn.lock +++ b/yarn.lock @@ -7521,20 +7521,6 @@ matrix-js-sdk@9.8.0-rc.1: request "^2.88.2" unhomoglyph "^1.0.6" -"matrix-js-sdk@github:matrix-org/matrix-js-sdk#develop": - version "9.7.0" - resolved "https://codeload.github.com/matrix-org/matrix-js-sdk/tar.gz/c82bc35202f93efa2cb9b27b140f83df37c64ab2" - dependencies: - "@babel/runtime" "^7.12.5" - another-json "^0.2.0" - browser-request "^0.3.3" - bs58 "^4.0.1" - content-type "^1.0.4" - loglevel "^1.7.1" - qs "^6.9.6" - request "^2.88.2" - unhomoglyph "^1.0.6" - matrix-mock-request@^1.2.3: version "1.2.3" resolved "https://registry.yarnpkg.com/matrix-mock-request/-/matrix-mock-request-1.2.3.tgz#56b15d86e2601a9b48a854844396d18caab649c8" @@ -7543,9 +7529,10 @@ matrix-mock-request@^1.2.3: bluebird "^3.5.0" expect "^1.20.2" -"matrix-react-sdk@github:matrix-org/matrix-react-sdk#develop": - version "3.14.0" - resolved "https://codeload.github.com/matrix-org/matrix-react-sdk/tar.gz/b6a4876c8a6d6b12b5eaad93ee91869422f02837" +matrix-react-sdk@3.15.0-rc.1: + version "3.15.0-rc.1" + resolved "https://registry.yarnpkg.com/matrix-react-sdk/-/matrix-react-sdk-3.15.0-rc.1.tgz#ba50aff5aa0e9464f7893c53fa46615b46cc5a75" + integrity sha512-siKNbF9Iy3NyFJjZQcheBfzg/fqIj6Xl4MoKkzEptLhZQfvX6G69dFAYh3lQmqOMEP2OrkWG+ynEtomu9Fhy+Q== dependencies: "@babel/runtime" "^7.12.5" await-lock "^2.1.0" @@ -7573,7 +7560,7 @@ matrix-mock-request@^1.2.3: katex "^0.12.0" linkifyjs "^2.1.9" lodash "^4.17.20" - matrix-js-sdk "github:matrix-org/matrix-js-sdk#develop" + matrix-js-sdk "9.8.0-rc.1" matrix-widget-api "^0.1.0-beta.13" minimist "^1.2.5" pako "^2.0.3" From aff0c9823eabb2cb52bddc93d31ffffe14c5d640 Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 24 Feb 2021 17:39:08 +0000 Subject: [PATCH 3/8] Prepare changelog for v1.7.22-rc.1 --- CHANGELOG.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 76e7c0b42e..ee1105c3b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,21 @@ +Changes in [1.7.22-rc.1](https://github.com/vector-im/element-web/releases/tag/v1.7.22-rc.1) (2021-02-24) +========================================================================================================= +[Full Changelog](https://github.com/vector-im/element-web/compare/v1.7.21...v1.7.22-rc.1) + + * Upgrade to React SDK 3.15.0-rc.1 and JS SDK 9.8.0-rc.1 + * Translations update from Weblate + [\#16529](https://github.com/vector-im/element-web/pull/16529) + * Add hostSignup config for element.io clients + [\#16515](https://github.com/vector-im/element-web/pull/16515) + * VoIP virtual rooms, mkII + [\#16442](https://github.com/vector-im/element-web/pull/16442) + * Jitsi widget: Read room name from query parameters + [\#16456](https://github.com/vector-im/element-web/pull/16456) + * fix / sso: make sure to delete only loginToken after redirect + [\#16415](https://github.com/vector-im/element-web/pull/16415) + * Disable Countly + [\#16433](https://github.com/vector-im/element-web/pull/16433) + Changes in [1.7.21](https://github.com/vector-im/element-web/releases/tag/v1.7.21) (2021-02-16) =============================================================================================== [Full Changelog](https://github.com/vector-im/element-web/compare/v1.7.21-rc.1...v1.7.21) From 4f13b707bbbf6d7c3779a3fbc1ad95c07f404e4f Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 24 Feb 2021 17:39:09 +0000 Subject: [PATCH 4/8] v1.7.22-rc.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 788d942636..068d3246b8 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "element-web", - "version": "1.7.21", + "version": "1.7.22-rc.1", "description": "A feature-rich client for Matrix.org", "author": "New Vector Ltd.", "repository": { From 799f60c0ee3b0d3ad4c0ef03f31e8a7824a998fc Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Mon, 1 Mar 2021 13:12:50 +0000 Subject: [PATCH 5/8] Upgrade matrix-js-sdk to 9.8.0 --- package.json | 2 +- yarn.lock | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index 068d3246b8..1a4da47a92 100644 --- a/package.json +++ b/package.json @@ -58,7 +58,7 @@ "highlight.js": "^10.5.0", "jsrsasign": "^10.1.5", "katex": "^0.12.0", - "matrix-js-sdk": "9.8.0-rc.1", + "matrix-js-sdk": "9.8.0", "matrix-react-sdk": "3.15.0-rc.1", "matrix-widget-api": "^0.1.0-beta.13", "olm": "https://packages.matrix.org/npm/olm/olm-3.2.1.tgz", diff --git a/yarn.lock b/yarn.lock index b1ac4e61b9..e173712f65 100644 --- a/yarn.lock +++ b/yarn.lock @@ -7506,6 +7506,21 @@ mathml-tag-names@^2.1.3: resolved "https://registry.yarnpkg.com/mathml-tag-names/-/mathml-tag-names-2.1.3.tgz#4ddadd67308e780cf16a47685878ee27b736a0a3" integrity sha512-APMBEanjybaPzUrfqU0IMU5I0AswKMH7k8OTLs0vvV4KZpExkTkY87nR/zpbuTPj+gARop7aGUbl11pnDfW6xg== +matrix-js-sdk@9.8.0: + version "9.8.0" + resolved "https://registry.yarnpkg.com/matrix-js-sdk/-/matrix-js-sdk-9.8.0.tgz#d71d8c777d2fea3dbc9a050060e4f1a74217dca6" + integrity sha512-QKRsnmId53upz4oMhQzm119lT0EcST2SZhnKRRFyykxZI0x7qSulnTTUwztpS/g9yZuZqy7PTVUTHOE2caX5IQ== + dependencies: + "@babel/runtime" "^7.12.5" + another-json "^0.2.0" + browser-request "^0.3.3" + bs58 "^4.0.1" + content-type "^1.0.4" + loglevel "^1.7.1" + qs "^6.9.6" + request "^2.88.2" + unhomoglyph "^1.0.6" + matrix-js-sdk@9.8.0-rc.1: version "9.8.0-rc.1" resolved "https://registry.yarnpkg.com/matrix-js-sdk/-/matrix-js-sdk-9.8.0-rc.1.tgz#229122583bec5971f22a423a4a40d749e07602d9" From f94f97d83aef38ae8b602880fb99091cd3393b51 Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Mon, 1 Mar 2021 13:13:14 +0000 Subject: [PATCH 6/8] Upgrade matrix-react-sdk to 3.15.0 --- package.json | 2 +- yarn.lock | 25 +++++-------------------- 2 files changed, 6 insertions(+), 21 deletions(-) diff --git a/package.json b/package.json index 1a4da47a92..feadc6d646 100644 --- a/package.json +++ b/package.json @@ -59,7 +59,7 @@ "jsrsasign": "^10.1.5", "katex": "^0.12.0", "matrix-js-sdk": "9.8.0", - "matrix-react-sdk": "3.15.0-rc.1", + "matrix-react-sdk": "3.15.0", "matrix-widget-api": "^0.1.0-beta.13", "olm": "https://packages.matrix.org/npm/olm/olm-3.2.1.tgz", "prop-types": "^15.7.2", diff --git a/yarn.lock b/yarn.lock index e173712f65..b469c366be 100644 --- a/yarn.lock +++ b/yarn.lock @@ -7521,21 +7521,6 @@ matrix-js-sdk@9.8.0: request "^2.88.2" unhomoglyph "^1.0.6" -matrix-js-sdk@9.8.0-rc.1: - version "9.8.0-rc.1" - resolved "https://registry.yarnpkg.com/matrix-js-sdk/-/matrix-js-sdk-9.8.0-rc.1.tgz#229122583bec5971f22a423a4a40d749e07602d9" - integrity sha512-Tmo5cdyBBgYcMZMaAavEvtdCsEwr5sYE0RLd6etLOSTxmGRSYpqKvvKQqGsYrogmZYNbx9nNZYYYV2aJkCKcQg== - dependencies: - "@babel/runtime" "^7.12.5" - another-json "^0.2.0" - browser-request "^0.3.3" - bs58 "^4.0.1" - content-type "^1.0.4" - loglevel "^1.7.1" - qs "^6.9.6" - request "^2.88.2" - unhomoglyph "^1.0.6" - matrix-mock-request@^1.2.3: version "1.2.3" resolved "https://registry.yarnpkg.com/matrix-mock-request/-/matrix-mock-request-1.2.3.tgz#56b15d86e2601a9b48a854844396d18caab649c8" @@ -7544,10 +7529,10 @@ matrix-mock-request@^1.2.3: bluebird "^3.5.0" expect "^1.20.2" -matrix-react-sdk@3.15.0-rc.1: - version "3.15.0-rc.1" - resolved "https://registry.yarnpkg.com/matrix-react-sdk/-/matrix-react-sdk-3.15.0-rc.1.tgz#ba50aff5aa0e9464f7893c53fa46615b46cc5a75" - integrity sha512-siKNbF9Iy3NyFJjZQcheBfzg/fqIj6Xl4MoKkzEptLhZQfvX6G69dFAYh3lQmqOMEP2OrkWG+ynEtomu9Fhy+Q== +matrix-react-sdk@3.15.0: + version "3.15.0" + resolved "https://registry.yarnpkg.com/matrix-react-sdk/-/matrix-react-sdk-3.15.0.tgz#08ceba225383affa194632dceb3408dcb9127fde" + integrity sha512-85dSe0dBptgC6U98ujN6RIA8WSmRGWnxOW6Ph8LiEsAjI4FKxaShsPjuNM6PDBd5Fl/5ygktA7s3JYzDMJVIrA== dependencies: "@babel/runtime" "^7.12.5" await-lock "^2.1.0" @@ -7575,7 +7560,7 @@ matrix-react-sdk@3.15.0-rc.1: katex "^0.12.0" linkifyjs "^2.1.9" lodash "^4.17.20" - matrix-js-sdk "9.8.0-rc.1" + matrix-js-sdk "9.8.0" matrix-widget-api "^0.1.0-beta.13" minimist "^1.2.5" pako "^2.0.3" From 594c07b2d919b4d044161ff0a983f1576817204a Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Mon, 1 Mar 2021 13:18:18 +0000 Subject: [PATCH 7/8] Prepare changelog for v1.7.22 --- CHANGELOG.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee1105c3b3..9893a4b7b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,20 @@ +Changes in [1.7.22](https://github.com/vector-im/element-web/releases/tag/v1.7.22) (2021-03-01) +=============================================================================================== +[Full Changelog](https://github.com/vector-im/element-web/compare/v1.7.22-rc.1...v1.7.22) + +## Security notice + +Element Web 1.7.22 fixes (by upgrading to matrix-react-sdk 3.15.0) a low +severity issue (CVE-2021-21320) where the user content sandbox can be abused to +trick users into opening unexpected documents. The content is opened with a +`blob` origin that cannot access Matrix user data, so messages and secrets are +not at risk. Thanks to @keerok for responsibly disclosing this via Matrix's +Security Disclosure Policy. + +## All changes + + * Upgrade to React SDK 3.15.0 and JS SDK 9.8.0 + Changes in [1.7.22-rc.1](https://github.com/vector-im/element-web/releases/tag/v1.7.22-rc.1) (2021-02-24) ========================================================================================================= [Full Changelog](https://github.com/vector-im/element-web/compare/v1.7.21...v1.7.22-rc.1) From 06798f30305028fde7ab392ddbf745e5703f39e5 Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Mon, 1 Mar 2021 13:18:19 +0000 Subject: [PATCH 8/8] v1.7.22 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index feadc6d646..b53953554a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "element-web", - "version": "1.7.22-rc.1", + "version": "1.7.22", "description": "A feature-rich client for Matrix.org", "author": "New Vector Ltd.", "repository": {