Bug#908044: marked as done (matrix-synapse: CVE-2018-16515: Undisclosed security vulnerability)

[Debian Bug Tracking System]

Your message dated Thu, 06 Sep 2018 12:19:47 +0000
with message-id <e1fxtgf-0006gs...@fasolo.debian.org>
and subject line Bug#908044: fixed in matrix-synapse 0.33.3.1-1
has caused the Debian Bug report #908044,
regarding matrix-synapse: CVE-2018-16515: Undisclosed security vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
908044: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908044
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: matrix-synapse
Version: 0.33.3-1
Severity: grave
Tags: patch security upstream
Control: fixed -1 0.33.3.1-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

From
https://matrix.org/blog/2018/09/05/pre-disclosure-upcoming-critical-security-fix-for-synapse/:

> During the ongoing work to finalise a stable release of Matrix’s
> Server-Server federation API, we’ve been doing a full audit of
> Synapse’s implementation and have identified a serious vulnerability
> which we are going to release a security update to address (Synapse
> 0.33.3.1) on Thursday Sept 6th 2018 at 12:00 UTC.

- -- 
Cheers,
  Andrej

-----BEGIN PGP SIGNATURE-----

iQFIBAEBCAAyFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAluP1gAUHGFuZHJld3No
QGRlYmlhbi5vcmcACgkQXkCM2RzYOdJKCQgAibJqmoQ7GMUugRTWTy1fmkEMVXvg
4GwBbhJ2pbuiI01EsOpG81K/XEg2GRFdH9iKLjKzpVWInDBZb+2g8v/TFw9Vk2J4
BSrALMBQBqUkaGZ7fx4/Ul4djw5rWmN+Op2Uh/IY3qx+lIiWlBcjITV9scwuL2aI
89wrt4JyOrbWiqfRnFsjiE2IWzoJr4hw79yQtsu/N0qceOv4xfDOUUdqYF3S6vld
25OobDqLkN9bCs6RyADXZbpdQzRhfY6ETQdI7P9BxFy/MJeuJuK+aFCfwJvSxhaO
nD0CdGnIQrTypL1bIENo13JIoBejno2Xg0kStz1zNElrZVAw9sY73ptaag==
=5L8n
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: matrix-synapse
Source-Version: 0.33.3.1-1

We believe that the bug you reported is fixed in the latest version of
matrix-synapse, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 908...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrej Shadura <andre...@debian.org> (supplier of updated matrix-synapse 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 06 Sep 2018 12:00:03 +0200
Source: matrix-synapse
Binary: matrix-synapse
Architecture: all source
Version: 0.33.3.1-1
Distribution: unstable
Urgency: high
Maintainer: Matrix Packaging Team 
<pkg-matrix-maintain...@lists.alioth.debian.org>
Changed-By: Andrej Shadura <andre...@debian.org>
Closes: 908044
Description: 
 matrix-synapse - Matrix reference homeserver
Changes:
 matrix-synapse (0.33.3.1-1) unstable; urgency=high
 .
   * New upstream version.
     - SECURITY UPDATE (CVE-2018-16515):
       Check that signatures on events are valid
       Fix origin handling for pushed transactions
     - Closes: #908044.
Checksums-Sha1: 
 94575edabb891efb1266a838865f473930ce373e 2478 matrix-synapse_0.33.3.1-1.dsc
 92c2a00df8d9aba1ee80f5279cb90546b74049eb 1015181 
matrix-synapse_0.33.3.1.orig.tar.gz
 bf515f277e8dd149bded5c2714ebed17f9af26cb 85908 
matrix-synapse_0.33.3.1-1.debian.tar.xz
 34bba31a590418f58cba4996b4286bf19cac0e5f 557356 
matrix-synapse_0.33.3.1-1_all.deb
 341a1b4fd0284e803290a37343a2c6019ad9777d 9461 
matrix-synapse_0.33.3.1-1_amd64.buildinfo
Checksums-Sha256: 
 e13cb8f2207fdbc39589c0bc57bf6e3b8976189fde30cdb8382f87963170eede 2478 
matrix-synapse_0.33.3.1-1.dsc
 779566ffd18eee659f0d533fed4bf782f13f50bdd18efd810057cc3af6f5ad85 1015181 
matrix-synapse_0.33.3.1.orig.tar.gz
 c21cf9ca75bf010dc7a06871f2bc3e96dd4895e127aa5831f5a7bbe9b5049173 85908 
matrix-synapse_0.33.3.1-1.debian.tar.xz
 8efde573714ffc8caedf4cc0d22ef70347106fc889452a0b949bdda0918c87e0 557356 
matrix-synapse_0.33.3.1-1_all.deb
 00866256eb7753567b32dd3f9f39d6c054f2f5d22a165b1ea32a9356cec49953 9461 
matrix-synapse_0.33.3.1-1_amd64.buildinfo
Files: 
 b3fdce63589ce118a63752f24c8614d8 2478 net optional 
matrix-synapse_0.33.3.1-1.dsc
 636c846bd51d1b0e55bc8c820a830db3 1015181 net optional 
matrix-synapse_0.33.3.1.orig.tar.gz
 5978db3330f917beb3e8ee055509cc7b 85908 net optional 
matrix-synapse_0.33.3.1-1.debian.tar.xz
 a5384672bffb8963509341dece62dc07 557356 net optional 
matrix-synapse_0.33.3.1-1_all.deb
 377681835f4106702bca12a3038f7565 9461 net optional 
matrix-synapse_0.33.3.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAluRF90ACgkQXkCM2RzY
OdLfpwgAkJxDfBzhRrezU7tCAUKehHDiQLa5YshQ66KsYKVTFA1rA4YjVv9DZe4Y
60/g2Y7TySBcQbO4AgRu5wdNbTIbyFzsv1c7itg9fHtwoGJu51RrZJdHYxAtsQiL
HlekPPQb4XOGYYcwn9vAVAfoYCEhSs7bhp0+BrEQvon8b88Tt0Dm63DfxYSIfI3S
XQ6ANkiZcd8wVYkiQTIig+cwNjqr96n1w9sG2LIdkYzVKbZpfvlhFX5/1YQ2EmzB
n+WxVT+fFoR8w4PNtLb4eDMjmvL9BMC3AfSTUS8ydDo5N5gea34uUvmzJB8SIbzQ
lv4chYFzUsPZSLn56+us7fZfbMF+dQ==
=ruXa
-----END PGP SIGNATURE-----

--- End Message ---