events: fix ACLs being case sensitive#3
Merged
jevolk merged 1 commit intoFeb 12, 2026
Merged
Conversation
nell-freckle Bot
pushed a commit
to nicolerenee/infra
that referenced
this pull request
Mar 8, 2026
…0 → v1.5.1 ) (#1513) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/matrix-construct/tuwunel](https://redirect.github.com/matrix-construct/tuwunel) | patch | `v1.5.0` → `v1.5.1` | --- ### Release Notes <details> <summary>matrix-construct/tuwunel (ghcr.io/matrix-construct/tuwunel)</summary> ### [`v1.5.1`](https://redirect.github.com/matrix-construct/tuwunel/releases/tag/v1.5.1) [Compare Source](https://redirect.github.com/matrix-construct/tuwunel/compare/v1.5.0...v1.5.1) ##### Tuwunel 1.5.1 March 6, 2026 ##### Security Fixes - A security audit of SSO/OIDC released with 1.5.0 uncovered several issues. We strongly advise everyone using SSO/OIDC upgrade to this release. Users should also note that until MSC2454 is implemented (tracked by [#​314](https://redirect.github.com/matrix-construct/tuwunel/issues/314)) accounts will have to set a password to access functionality protected by User Interactive Authentication (e.g. when removing devices). We are deeply grateful to [@​outfrost](https://redirect.github.com/outfrost) and [@​exodrifter](https://redirect.github.com/exodrifter) for their effort and professionalism as security researchers. - Case-sensitive comparisons in Room Access Control Lists were fixed by [@​velikopter](https://redirect.github.com/velikopter) ([ruma/ruma#2358](https://redirect.github.com/ruma/ruma/issues/2358)) ([matrix-construct/ruma#3](https://redirect.github.com/matrix-construct/ruma/issues/3)) ([`814cbc2`](https://redirect.github.com/matrix-construct/tuwunel/commit/814cbc2f3)). ##### New Features & Enhancements - New options for `identity_provider` configurations include: `trusted` allowing association of SSO accounts to existing matrix users ([#​252](https://redirect.github.com/matrix-construct/tuwunel/issues/252)); `unique_id_fallbacks` to disable random-string users; `registration` to prevent registration through an IdP altogether; `check_cookie` for deployments that cannot use cookies. - Thanks to [@​Enginecrafter77](https://redirect.github.com/Enginecrafter77) password authorization flows can now be disabled by configuring `login_with_password = false`. Clients will hide the input boxes for username and password. This option is useful for an e.g. SSO-only server. ([#​336](https://redirect.github.com/matrix-construct/tuwunel/issues/336)) - Thanks to [@​Lymia](https://redirect.github.com/Lymia) users of btrfs will see reduced space usage if they configure the new option `rocksdb_allow_fallocate = false`. ([#​322](https://redirect.github.com/matrix-construct/tuwunel/issues/322)) (PR also has links to more information) - Instructions for how to configure the TURN server built into Livekit and several corrections were contributed by serial documentation author [@​winyadepla](https://redirect.github.com/winyadepla) in ([#​285](https://redirect.github.com/matrix-construct/tuwunel/issues/285)). - Many users will appreciate substantial documentation by [@​alametti](https://redirect.github.com/alametti) for configuring well-known and root domain delegation in ([#​352](https://redirect.github.com/matrix-construct/tuwunel/issues/352)). - Thank you [@​the-hazelnut](https://redirect.github.com/the-hazelnut) for updating TURN and Matrix RTC documentation with ports to be forwarded for NAT. ([#​305](https://redirect.github.com/matrix-construct/tuwunel/issues/305)) ([#​306](https://redirect.github.com/matrix-construct/tuwunel/issues/306)) - The `username` claim is now recognized when deciding the MXID during SSO account registration thanks to a suggestion by [@​aazf](https://redirect.github.com/aazf) in ([#​287](https://redirect.github.com/matrix-construct/tuwunel/issues/287)). - The max limit for `/messages` was increased from 100 to 1000 by [@​dasha-uwu](https://redirect.github.com/dasha-uwu) which should match the limit on Synapse but with far less of a performance hazard. - [@​dasha-uwu](https://redirect.github.com/dasha-uwu) properly optimized certain checked-math macros; other checked-math macros were also optimized for inlining. - Concurrent batch requests can now be made to a notary server. The default concurrency is now two, and the size of the batches have been decreased by a third. This should reduce the time it takes to join large rooms. - Optimization of functions which hurt performance for syncing user-presence were partially completed, though with marked improvement from before. - Optimization of new state-resolution functionality added during Project Hydra took place. Along with additional optimization for auth-chain gathering, CPU use for large/complex rooms (so-called "bad rooms") has been greatly reduced. ##### Bug Fixes - Special thanks to [@​hatomist](https://redirect.github.com/hatomist) for fixing an error which changes a users's account-type when they set a password ([#​313](https://redirect.github.com/matrix-construct/tuwunel/issues/313)). This impacted LDAP and some SSO users. We apologize for the inconvenience this may have caused. - We appreciate effort by [@​Jeidnx](https://redirect.github.com/Jeidnx) for addressing various issues with SSO/OIDC Identity Provider configuration in ([#​281](https://redirect.github.com/matrix-construct/tuwunel/issues/281)). Also noteworthy was the idea to derive the callback\_url from other parameters by default rather than explicitly requiring it. Thanks to [@​Magnitaizer](https://redirect.github.com/Magnitaizer) for reporting initially in ([#​276](https://redirect.github.com/matrix-construct/tuwunel/issues/276)). - Thanks [@​VlaDexa](https://redirect.github.com/VlaDexa) for fixing the missing output formatting for the oauth delete command. ([#​321](https://redirect.github.com/matrix-construct/tuwunel/issues/321)) - Thank you [@​risu729](https://redirect.github.com/risu729) for updating the default port number in the docker run command documentation. ([#​298](https://redirect.github.com/matrix-construct/tuwunel/issues/298)) - Thank you [@​Lamby777](https://redirect.github.com/Lamby777) for removing an errant `version` field in the docker-compose example. (299) - Thank you [@​cornerot](https://redirect.github.com/cornerot) for updating the docker-compose with-traefik which still said Conduit instead of Tuwunel after all this time. ([#​308](https://redirect.github.com/matrix-construct/tuwunel/issues/308)) - Thank you [@​exodrifter](https://redirect.github.com/exodrifter) for fixing errors and typos in the MatrixRTC documentation ([#​343](https://redirect.github.com/matrix-construct/tuwunel/issues/343)) based on a report by [@​RhenCloud](https://redirect.github.com/RhenCloud) ([#​338](https://redirect.github.com/matrix-construct/tuwunel/issues/338)). - Thank you [@​wuyukai0403](https://redirect.github.com/wuyukai0403) for proofreading and fixing a typo in the troubleshooting document. ([#​312](https://redirect.github.com/matrix-construct/tuwunel/issues/312)) - A report by [@​BVollmerhaus](https://redirect.github.com/BVollmerhaus) lead to the reopening of ([#​240](https://redirect.github.com/matrix-construct/tuwunel/issues/240)) to use Livekit/lk-jwt-service when federation is disabled. This was re-resolved by [@​dasha-uwu](https://redirect.github.com/dasha-uwu) in ([`b79920a`](https://redirect.github.com/matrix-construct/tuwunel/commit/b79920a)). - Thanks to [@​Jeidnx](https://redirect.github.com/Jeidnx) for identifying a missing SSO redirect route in ([#​290](https://redirect.github.com/matrix-construct/tuwunel/issues/290)) which was fixed in ([matrix-construct/ruma@`0130f6a`](https://redirect.github.com/matrix-construct/ruma/commit/0130f6a)). - We appreciate the panic report by [@​Spaenny](https://redirect.github.com/Spaenny) in [#​296](https://redirect.github.com/matrix-construct/tuwunel/issues/296) which occurred during SSL-related upgrades on the main branch. Fixed by [@​dasha-uwu](https://redirect.github.com/dasha-uwu) ([`87faf81`](https://redirect.github.com/matrix-construct/tuwunel/commit/87faf81)). - Thanks to report ([#​302](https://redirect.github.com/matrix-construct/tuwunel/issues/302)) by [@​data-niklas](https://redirect.github.com/data-niklas) whitespace in the configured `client_secret_file` is now properly ignored thanks to [@​dasha-uwu](https://redirect.github.com/dasha-uwu) ([`6f5ae17`](https://redirect.github.com/matrix-construct/tuwunel/commit/6f5ae17)). - After [@​Giwayume](https://redirect.github.com/Giwayume) reported in ([#​303](https://redirect.github.com/matrix-construct/tuwunel/issues/303)) that URL previews failed for some sites, an investigation by [@​dasha-uwu](https://redirect.github.com/dasha-uwu) discovered Tuwunel's User-Agent header required some adjustment. - [@​dasha-uwu](https://redirect.github.com/dasha-uwu) refactored the Unix socket listener with main-branch testing by [@​VlaDexa](https://redirect.github.com/VlaDexa) ([#​310](https://redirect.github.com/matrix-construct/tuwunel/issues/310)) and follow-up fixes in ([`488bd62`](https://redirect.github.com/matrix-construct/tuwunel/commit/488bd62)). - [@​jonathanmajh](https://redirect.github.com/jonathanmajh) reported in ([#​315](https://redirect.github.com/matrix-construct/tuwunel/issues/315)) and [@​wmstens](https://redirect.github.com/wmstens) simultaneously reported in ([#​318](https://redirect.github.com/matrix-construct/tuwunel/issues/318)) that admin status was not granted to the server's first user when registering with SSO/OIDC. This was fixed by ([`e74186a`](https://redirect.github.com/matrix-construct/tuwunel/commit/e74186a)). - After a report by [@​tcyrus](https://redirect.github.com/tcyrus) in ([#​328](https://redirect.github.com/matrix-construct/tuwunel/issues/328)) that the RPM postinst script is not properly creating the tuwunel user. This was fixed by [@​x86pup](https://redirect.github.com/x86pup) in ([`5a55f84`](https://redirect.github.com/matrix-construct/tuwunel/commit/5a55f84)). - Thank you [@​cloudrac3r](https://redirect.github.com/cloudrac3r) for reporting in ([#​330](https://redirect.github.com/matrix-construct/tuwunel/issues/330)) that events were being unnecessarily sent to some appservices. This was fixed by [@​dasha-uwu](https://redirect.github.com/dasha-uwu) in ([`d073e17`](https://redirect.github.com/matrix-construct/tuwunel/commit/d073e17)). - Thanks to the report in ([#​331](https://redirect.github.com/matrix-construct/tuwunel/issues/331)) by [@​BVollmerhaus](https://redirect.github.com/BVollmerhaus) the first registered user is not granted admin when originating from an appservice. Fixed by [@​dasha-uwu](https://redirect.github.com/dasha-uwu) in ([`9dfba59`](https://redirect.github.com/matrix-construct/tuwunel/commit/9dfba59)). - The report by [@​rexbron](https://redirect.github.com/rexbron) in ([#​337](https://redirect.github.com/matrix-construct/tuwunel/issues/337)) discovered that some distributions set modest limits on threads per process. On many-core (32+) we may exceed these limits. The `RLIMIT_NPROC` is now raised ([`9e09162`](https://redirect.github.com/matrix-construct/tuwunel/commit/9e09162)) to mitigate this. - [@​x86pup](https://redirect.github.com/x86pup) set ManagedOOMPreference=avoid due to systemd not recognizing pressure-based deallocation with `madvise(2)` is not an out-of-memory condition. - [@​dasha-uwu](https://redirect.github.com/dasha-uwu) removed unnecessary added delays in the client endpoint for reporting. - Server shutdown did not properly indicate offline status of the conduit user due to a recent regression, now fixed. - [@​dasha-uwu](https://redirect.github.com/dasha-uwu) fixed logic issues in the client `/members` query filter. These same logic errors were also found in Synapse and Dendrite. - [@​dasha-uwu](https://redirect.github.com/dasha-uwu) fixed the missing advertisement for `org.matrix.msc3827.stable` in client `/versions`. - Custom profile fields were sometimes being double-escaped in responses to clients due to a JSON re-interpretation issue which is now fixed. - [@​dasha-uwu](https://redirect.github.com/dasha-uwu) fixed checks related to canonical aliases ([`0381547`](https://redirect.github.com/matrix-construct/tuwunel/commit/0381547c5)). - [@​dasha-uwu](https://redirect.github.com/dasha-uwu) relaxed the `encryption_enabled_by_default_for_room_type` "invite" option to not match all rooms. - [@​x86pup](https://redirect.github.com/x86pup) fixed an issue with `display_name` and `avatar_url` omitted in `/joined_members` (fixed in our Ruma). - Event processing of missing `prev_event`'s are no longer interrupted by an error from a sibling `prev_event`. This reduces CPU use by not repeating event processing before it would otherwise succeed. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4yIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvY29udGFpbmVyIiwidHlwZS9wYXRjaCJdfQ==--> Co-authored-by: bot-nicole[bot] <205127124+bot-nicole[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.