Source: matrix-synapse Version: 1.116.0-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for matrix-synapse. CVE-2024-52805[0]: | Synapse is an open-source Matrix homeserver. In Synapse before | 1.120.1, multipart/form-data requests can in certain configurations | transiently increase memory consumption beyond expected levels while | processing the request, which can be used to amplify denial of | service attacks. Synapse 1.120.1 resolves the issue by denying | requests with unsupported multipart/form-data content type. CVE-2024-52815[1]: | Synapse is an open-source Matrix homeserver. Synapse versions before | 1.120.1 fail to properly validate invites received over federation. | This vulnerability allows a malicious server to send a specially | crafted invite that disrupts the invited user's /sync functionality. | Synapse 1.120.1 rejects such invalid invites received over | federation and restores the ability to sync for affected users. CVE-2024-53863[2]: | Synapse is an open-source Matrix homeserver. In Synapse versions | before 1.120.1, enabling the dynamic_thumbnails option or processing | a specially crafted request could trigger the decoding and thumbnail | generation of uncommon image formats, potentially invoking external | tools like Ghostscript for processing. This significantly expands | the attack surface in a historically vulnerable area, presenting a | risk that far outweighs the benefit, particularly since these | formats are rarely used on the open web or within the Matrix | ecosystem. Synapse 1.120.1 addresses the issue by restricting | thumbnail generation to images in the following widely used formats: | PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1. CVE-2024-53867[3]: | Synapse is an open-source Matrix homeserver. The Sliding Sync | feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak | partial room state changes to users no longer in a room. Non-state | events, like messages, are unaffected. This vulnerability is fixed | in 1.120.1. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-52805 https://www.cve.org/CVERecord?id=CVE-2024-52805 https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2 [1] https://security-tracker.debian.org/tracker/CVE-2024-52815 https://www.cve.org/CVERecord?id=CVE-2024-52815 https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h [2] https://security-tracker.debian.org/tracker/CVE-2024-53863 https://www.cve.org/CVERecord?id=CVE-2024-53863 https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g [3] https://security-tracker.debian.org/tracker/CVE-2024-53867 https://www.cve.org/CVERecord?id=CVE-2024-53867 https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h Regards, Salvatore
