CVS commit: pkgsrc/chat/matrix-synapse

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/chat/matrix-synapse
From: "Greg Troxel" <gdt%netbsd.org@localhost>
Date: Wed, 4 Dec 2024 15:43:59 +0000

Module Name:    pkgsrc
Committed By:   gdt
Date:           Wed Dec  4 15:43:59 UTC 2024

Modified Files:
        pkgsrc/chat/matrix-synapse: Makefile distinfo

Log Message:
chat/matrix-synapse: Update to 1.120.2

This is a security patch release.

This patch release fixes multiple security vulnerabilities, some affecting all prior versions of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware 
of these vulnerabilities being exploited in the wild.

Administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below.
Security advisory

The following issues are fixed in 1.120.1.

    GHSA-rfq8-j7rh-8hf2 / CVE-2024-52805 (high): Unsupported content types can lead to memory exhaustion

    Synapse instances which have a high max_upload_size and which don't have a reverse proxy in front of them that would otherwise limit upload size are affected.

    Fixed by 4b7154c58501b4bf5e1c2d6c11ebef96529f2fdf.

    GHSA-f3r3-h2mq-hx2h / CVE-2024-52815 (high): Malicious invites via federation can break a user's sync

    Fixed by d82e1ed357b7ee21dff83d06cba7a67840cfd464.

    GHSA-vp6v-whfm-rv3g / CVE-2024-53863 (high): Synapse can be forced to thumbnail unexpected file formats, invoking potentially untrustworthy decoders

    Synapse instances can disable dynamic thumbnailing by setting dynamic_thumbnails to false in the configuration file.

    Fixed by b64a4e5fbbbf119b6c65aedf0d999b4237d55503.

    GHSA-56w4-5538-8v8h / CVE-2024-53867 (moderate): The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room

    Non-state events, like messages, are unaffected.

    Synapse instances can disable the Sliding Sync feature by setting experimental_features.msc3575_enabled to false in the configuration file.

    Fixed by 4daa533e82f345ce87b9495d31781af570ba3ead.

Additionally, we disclose the following vulnerabilities, both have been fixed in Synapse 1.106.0:

    GHSA-4mhg-xv73-xq2x / CVE-2024-37302 (high): Denial of service through media disk space consumption

    GHSA-gjgr-7834-rhxr / CVE-2024-37303 (moderate): Unauthenticated writes to the media repository allow planting of problematic content


To generate a diff of this commit:
cvs rdiff -u -r1.105 -r1.106 pkgsrc/chat/matrix-synapse/Makefile
cvs rdiff -u -r1.74 -r1.75 pkgsrc/chat/matrix-synapse/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/chat/matrix-synapse/Makefile
diff -u pkgsrc/chat/matrix-synapse/Makefile:1.105 pkgsrc/chat/matrix-synapse/Makefile:1.106
--- pkgsrc/chat/matrix-synapse/Makefile:1.105   Tue Nov 26 17:42:37 2024
+++ pkgsrc/chat/matrix-synapse/Makefile Wed Dec  4 15:43:58 2024
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.105 2024/11/26 17:42:37 gdt Exp $
+# $NetBSD: Makefile,v 1.106 2024/12/04 15:43:58 gdt Exp $
 
-DISTNAME=      matrix-synapse-1.120.0
+DISTNAME=      matrix-synapse-1.120.2
 CATEGORIES=    chat
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=element-hq/}
 GITHUB_PROJECT=        synapse

Index: pkgsrc/chat/matrix-synapse/distinfo
diff -u pkgsrc/chat/matrix-synapse/distinfo:1.74 pkgsrc/chat/matrix-synapse/distinfo:1.75
--- pkgsrc/chat/matrix-synapse/distinfo:1.74    Tue Nov 26 17:42:37 2024
+++ pkgsrc/chat/matrix-synapse/distinfo Wed Dec  4 15:43:59 2024
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.74 2024/11/26 17:42:37 gdt Exp $
+$NetBSD: distinfo,v 1.75 2024/12/04 15:43:59 gdt Exp $
 
 BLAKE2s (aho-corasick-1.1.3.crate) = 36150b5dacb72fa7cd0d33aee15e14857914224878f0af76eabcb9daa68e3ae0
 SHA512 (aho-corasick-1.1.3.crate) = ba422a54688c4678fcf16e34fdf3ed06c333e6e3fc8b75af9272a215add494d43ebaef319021134b61327fd5d3572aec0dc655b714ffb3bc71ba3c265c9ebb69
@@ -90,9 +90,9 @@ Size (lock_api-0.4.12.crate) = 27591 byt
 BLAKE2s (log-0.4.22.crate) = 9c270d3af5640c9eeb36754e6fd6cf50521e9fd1efad955e0d777716b3d6839a
 SHA512 (log-0.4.22.crate) = bd7baa9c8a5523fd0864a53bcde955d484cacd782412b5b02c890b89dbf62137624da3a27337a310dd8f62bcc6606925a42bbd4ca161a3b7936ea4ff96bc0d71
 Size (log-0.4.22.crate) = 44027 bytes
-BLAKE2s (matrix-synapse-1.120.0.tar.gz) = 95ff702dd44b22aa6f023d904f8d7364ff5799fa8dedcac8a45e7b0d5ed45336
-SHA512 (matrix-synapse-1.120.0.tar.gz) = 624290effaced76b8461bbcb103f55411022ea726f6a5ceb31d525446b5e7d669b5bd8fbe8a916a8565197b34f3f76a59f50236fe72793c38883c9cb01969b56
-Size (matrix-synapse-1.120.0.tar.gz) = 8819007 bytes
+BLAKE2s (matrix-synapse-1.120.2.tar.gz) = a6e974041f2088e0752686b647be5f1dc5a0dab13cedc41b3a3b39538522591c
+SHA512 (matrix-synapse-1.120.2.tar.gz) = 30687e90bbb58ed605fc8241bfd8573ddabe4c1a46650cb4b0c9588701374f6ae06b6558d62f1b838d7ff47ca45563b8a1143ab036877f0b9f0e8b7c28048fcf
+Size (matrix-synapse-1.120.2.tar.gz) = 8821285 bytes
 BLAKE2s (memchr-2.7.2.crate) = 58bad593cd29bb59ae79239f6f69364c2c512fa365107c1c46c37878bf53126f
 SHA512 (memchr-2.7.2.crate) = cadcb4239c7f3aaab042592c5186770a225621e32f8583052fd3dbebb4a6d9b99be28f589b39b5ca36cb2d56fb3709e7d4ba91838ebb882e28e51280c02bbc40
 Size (memchr-2.7.2.crate) = 96220 bytes

Prev by Date: CVS commit: pkgsrc/multimedia/pitivi
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/multimedia/pitivi
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index