Update dependency turt2live/matrix-media-repo to v1.3.8 #5

Merged

Bluemedia merged 1 commit from renovate/turt2live-matrix-media-repo-1.x into main 2025-01-17 23:49:20 +01:00

Conversation 0 Commits 1 Files changed 1 +1 -1

Renovate commented 2025-01-16 21:18:23 +01:00

Collaborator

Copy link

This PR contains the following updates:

Package	Update	Change
turt2live/matrix-media-repo	patch	v1.3.7 -> v1.3.8

---

Release Notes

turt2live/matrix-media-repo (turt2live/matrix-media-repo)

v1.3.8

Compare Source

Security

• Limit untrusted decoders during thumbnailing (GHSA-rcxc-wjgw-579r / CVE-2024-56515)
• Improve handling of JSON (GHSA-gp86-q8hg-fpxj / CVE-2024-52791)
• Fix SSRF issues (GHSA-r6jg-jfv6-2fjv / CVE-2024-52602)

Added

• Allow guests to access uploaded media, as per MSC4189.
• The thumbnailer can now be run independently with the thumbnailer binary. See thumbnailer -help for details.

Changed

• MMR now requires Go 1.22 for compilation.
• MMR now builds on a base image of alpine:3.21.
• The global repo.freezeUnauthenticatedMedia option now defaults to true, enabling authenticated media by default. A future release will remove this option, requiring the freeze behaviour. See config.sample.yaml for details.
• For SVG and JPEGXL files, ImageMagick 7 is now required.
• For MP4 files, ffmpeg 6 or 7 (use 7 for best results) is now required.

Fixed

• Return a 404 instead of 500 when clients access media which is frozen.
• Return a 403 instead of 500 when guests access endpoints that are for registered users only.
• Ensure the request parameters are correctly set for authenticated media client requests.
• Ensure remote signing keys expire after at most 7 days.
• Fixed parsing of Authorization headers for federated servers.
• Ensure ignoredHosts is applied to unauthenticated requests.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [turt2live/matrix-media-repo](https://github.com/turt2live/matrix-media-repo) | patch | `v1.3.7` -> `v1.3.8` | --- ### Release Notes <details> <summary>turt2live/matrix-media-repo (turt2live/matrix-media-repo)</summary> ### [`v1.3.8`](https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8) [Compare Source](https://github.com/turt2live/matrix-media-repo/compare/v1.3.7...v1.3.8) ##### Security - Limit untrusted decoders during thumbnailing ([GHSA-rcxc-wjgw-579r](https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-rcxc-wjgw-579r) / [CVE-2024-56515](https://www.cve.org/CVERecord?id=CVE-2024-56515)) - Improve handling of JSON ([GHSA-gp86-q8hg-fpxj](https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-gp86-q8hg-fpxj) / [CVE-2024-52791](https://www.cve.org/CVERecord?id=CVE-2024-52791)) - Fix SSRF issues ([GHSA-r6jg-jfv6-2fjv](https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-r6jg-jfv6-2fjv) / [CVE-2024-52602](https://www.cve.org/CVERecord?id=CVE-2024-52602)) ##### Added - Allow guests to access uploaded media, as per [MSC4189](https://github.com/matrix-org/matrix-spec-proposals/pull/4189). - The thumbnailer can now be run independently with the `thumbnailer` binary. See `thumbnailer -help` for details. ##### Changed - MMR now requires Go 1.22 for compilation. - MMR now builds on a base image of `alpine:3.21`. - The global `repo.freezeUnauthenticatedMedia` option now defaults to `true`, enabling authenticated media by default. A future release will remove this option, requiring the freeze behaviour. See `config.sample.yaml` for details. - For SVG and JPEGXL files, ImageMagick 7 is now required. - For MP4 files, ffmpeg 6 or 7 (use 7 for best results) is now required. ##### Fixed - Return a 404 instead of 500 when clients access media which is frozen. - Return a 403 instead of 500 when guests access endpoints that are for registered users only. - Ensure the request parameters are correctly set for authenticated media client requests. - Ensure remote signing keys expire after at most 7 days. - Fixed parsing of `Authorization` headers for federated servers. - Ensure `ignoredHosts` is applied to unauthenticated requests. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMTMuMCIsInVwZGF0ZWRJblZlciI6IjM5LjExMy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Renovate added 1 commit 2025-01-16 21:18:24 +01:00

Update dependency turt2live/matrix-media-repo to v1.3.8 4955d1d308

Bluemedia merged commit 4955d1d308 into main 2025-01-17 23:49:20 +01:00

Bluemedia deleted branch renovate/turt2live-matrix-media-repo-1.x 2025-01-17 23:49:20 +01:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Bluemedia/docker-image-pipelines#5

No description provided.