Your message dated Sun, 01 Oct 2023 08:23:32 +0000
with message-id <e1qmrjg-00gkel...@fasolo.debian.org>
and subject line Bug#1053283: fixed in matrix-synapse 1.93.0-1
has caused the Debian Bug report #1053283,
regarding matrix-synapse: CVE-2023-42453 CVE-2023-41335
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1053283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053283
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: matrix-synapse
Version: 1.92.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for matrix-synapse.
CVE-2023-42453[0]:
| Synapse is an open-source Matrix homeserver written and maintained
| by the Matrix.org Foundation. Users were able to forge read receipts
| for any event (if they knew the room ID and event ID). Note that the
| users were not able to view the events, but simply mark it as read.
| This could be confusing as clients will show the event as read by
| the user, even if they are not in the room. This issue has been
| patched in version 1.93.0. Users are advised to upgrade. There are
| no known workarounds for this issue.
CVE-2023-41335[1]:
| Synapse is an open-source Matrix homeserver written and maintained
| by the Matrix.org Foundation. When users update their passwords, the
| new credentials may be briefly held in the server database. While
| this doesn't grant the server any added capabilities—it already
| learns the users' passwords as part of the authentication process—it
| does disrupt the expectation that passwords won't be stored in the
| database. As a result, these passwords could inadvertently be
| captured in database backups for a longer duration. These
| temporarily stored passwords are automatically erased after a
| 48-hour window. This issue has been addressed in version 1.93.0.
| Users are advised to upgrade. There are no known workarounds for
| this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-42453
https://www.cve.org/CVERecord?id=CVE-2023-42453
https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x
[1] https://security-tracker.debian.org/tracker/CVE-2023-41335
https://www.cve.org/CVERecord?id=CVE-2023-41335
https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5
Regards,
Salvatore
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: matrix-synapse
Source-Version: 1.93.0-1
Done: Andrej Shadura <andre...@debian.org>
We believe that the bug you reported is fixed in the latest version of
matrix-synapse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1053...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <andre...@debian.org> (supplier of updated matrix-synapse
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 01 Oct 2023 09:41:18 +0200
Source: matrix-synapse
Architecture: source
Version: 1.93.0-1
Distribution: unstable
Urgency: medium
Maintainer: Matrix Packaging Team
<pkg-matrix-maintain...@lists.alioth.debian.org>
Changed-By: Andrej Shadura <andre...@debian.org>
Closes: 1053283
Changes:
matrix-synapse (1.93.0-1) unstable; urgency=medium
.
[ Antonio Russo ]
* New upstream release (Closes: #1053283, CVE-2023-42453, CVE-2023-41335).
* Refresh patches.
* Revert pillow version bump.
Checksums-Sha1:
c9783af543a520f7e0eb9e6ddf6a83192df5ec5d 3216 matrix-synapse_1.93.0-1.dsc
21ce0eee99f4f9bb8325c17d0db7daabbc32973f 8382894
matrix-synapse_1.93.0.orig.tar.gz
b1a7b966cb78044aeb51da6b4df5536aaf27f8cf 115452
matrix-synapse_1.93.0-1.debian.tar.xz
Checksums-Sha256:
f046936f0c1b37522871b13384617b77ca107745cf0d406bf0d8da778f8c34ea 3216
matrix-synapse_1.93.0-1.dsc
4bacff7559cd1f36a51743b79fe871eb3b96933aa663aad6f8900a1c6b7f8e21 8382894
matrix-synapse_1.93.0.orig.tar.gz
50cc0e84f67527928864e783227683070d406a6dca43ea77ba1d1cbbdbd5c947 115452
matrix-synapse_1.93.0-1.debian.tar.xz
Files:
0dad0816ad80621531b00450bad16175 3216 net optional matrix-synapse_1.93.0-1.dsc
15ba2d14555f7616d720ff8dfd18b066 8382894 net optional
matrix-synapse_1.93.0.orig.tar.gz
120b3a5c343fce0c818571acc440f817 115452 net optional
matrix-synapse_1.93.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZRkkAAAKCRDoRGtKyMdy
YcrzAQD8h7g9BKreZNE1+eotEddDq0h7tnVylcPqzywu0hNd7AD/TYI4ZFK639P3
2f7+72CDcGiRw23Rsrz9c5huUM2lBwg=
=1R1k
-----END PGP SIGNATURE-----
--- End Message ---
