Your message dated Sat, 04 Nov 2023 20:37:48 +0000
with message-id <e1qznou-003lhd...@fasolo.debian.org>
and subject line Bug#1055255: fixed in matrix-synapse 1.95.1-1
has caused the Debian Bug report #1055255,
regarding matrix-synapse: CVE-2023-43796
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1055255: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055255
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: matrix-synapse
Version: 1.95.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for matrix-synapse.
CVE-2023-43796[0]:
| Synapse is an open-source Matrix homeserver Prior to versions 1.95.1
| and 1.96.0rc1, cached device information of remote users can be
| queried from Synapse. This can be used to enumerate the remote users
| known to a homeserver. System administrators are encouraged to
| upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a
| workaround, the `federation_domain_whitelist` can be used to limit
| federation traffic with a homeserver.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-43796
https://www.cve.org/CVERecord?id=CVE-2023-43796
[1]
https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575
[2]
https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: matrix-synapse
Source-Version: 1.95.1-1
Done: Andrej Shadura <andrew.shad...@collabora.co.uk>
We believe that the bug you reported is fixed in the latest version of
matrix-synapse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1055...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <andrew.shad...@collabora.co.uk> (supplier of updated
matrix-synapse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 04 Nov 2023 21:12:29 +0100
Source: matrix-synapse
Architecture: source
Version: 1.95.1-1
Distribution: unstable
Urgency: high
Maintainer: Matrix Packaging Team
<pkg-matrix-maintain...@lists.alioth.debian.org>
Changed-By: Andrej Shadura <andrew.shad...@collabora.co.uk>
Closes: 1055255
Changes:
matrix-synapse (1.95.1-1) unstable; urgency=high
.
* New upstream release (CVE-2023-43796, Closes: #1055255).
Checksums-Sha1:
81cf22ffc36f0ea9e40a15d8da904ee8aaa3e2d9 3216 matrix-synapse_1.95.1-1.dsc
f9955b09a05842714210ad2ed5744b22b2df8fe4 8404523
matrix-synapse_1.95.1.orig.tar.gz
299977100afd8e532ca7f3ea21d7110d83664bb7 114988
matrix-synapse_1.95.1-1.debian.tar.xz
Checksums-Sha256:
4fcba3df608ab2de48d5f6a6d74c8663873abe2c337f9574f0dbe0330cf2981a 3216
matrix-synapse_1.95.1-1.dsc
72eb37eda94e4dad276f81d5a20c31782ba120fada0d6ac4d3efe0e8dfe642be 8404523
matrix-synapse_1.95.1.orig.tar.gz
4108a60948af9f79e774ccd860df082dd226986af6958bcb93a7054a5665b009 114988
matrix-synapse_1.95.1-1.debian.tar.xz
Files:
925e07c34c5e581c8b2454254e5b44d0 3216 net optional matrix-synapse_1.95.1-1.dsc
7ff0626e16c0707df294b70eb3336522 8404523 net optional
matrix-synapse_1.95.1.orig.tar.gz
e90e17d1f43c447dc0337abd05903e05 114988 net optional
matrix-synapse_1.95.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZUamOQAKCRDoRGtKyMdy
YdvLAQDUWPhSmKeoLilMa4Q0NrXloBe1dGtxAFUIdCKAR4W3ogEAs2Qqmy7PaS1l
5LGh97l0flsZ79zaKpKElSGnwNI4tAg=
=tD+v
-----END PGP SIGNATURE-----
--- End Message ---
