Your message dated Thu, 12 Dec 2024 11:19:21 +0100
with message-id <z1q4qtjkyjx39...@eldamar.lan>
and subject line Re: Accepted matrix-synapse 1.121.0-1 (source) into unstable
has caused the Debian Bug report #1088995,
regarding matrix-synapse: CVE-2024-52805 CVE-2024-52815 CVE-2024-53863
CVE-2024-53867
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1088995: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: matrix-synapse
Version: 1.116.0-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for matrix-synapse.
CVE-2024-52805[0]:
| Synapse is an open-source Matrix homeserver. In Synapse before
| 1.120.1, multipart/form-data requests can in certain configurations
| transiently increase memory consumption beyond expected levels while
| processing the request, which can be used to amplify denial of
| service attacks. Synapse 1.120.1 resolves the issue by denying
| requests with unsupported multipart/form-data content type.
CVE-2024-52815[1]:
| Synapse is an open-source Matrix homeserver. Synapse versions before
| 1.120.1 fail to properly validate invites received over federation.
| This vulnerability allows a malicious server to send a specially
| crafted invite that disrupts the invited user's /sync functionality.
| Synapse 1.120.1 rejects such invalid invites received over
| federation and restores the ability to sync for affected users.
CVE-2024-53863[2]:
| Synapse is an open-source Matrix homeserver. In Synapse versions
| before 1.120.1, enabling the dynamic_thumbnails option or processing
| a specially crafted request could trigger the decoding and thumbnail
| generation of uncommon image formats, potentially invoking external
| tools like Ghostscript for processing. This significantly expands
| the attack surface in a historically vulnerable area, presenting a
| risk that far outweighs the benefit, particularly since these
| formats are rarely used on the open web or within the Matrix
| ecosystem. Synapse 1.120.1 addresses the issue by restricting
| thumbnail generation to images in the following widely used formats:
| PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.
CVE-2024-53867[3]:
| Synapse is an open-source Matrix homeserver. The Sliding Sync
| feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak
| partial room state changes to users no longer in a room. Non-state
| events, like messages, are unaffected. This vulnerability is fixed
| in 1.120.1.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-52805
https://www.cve.org/CVERecord?id=CVE-2024-52805
https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2
[1] https://security-tracker.debian.org/tracker/CVE-2024-52815
https://www.cve.org/CVERecord?id=CVE-2024-52815
https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h
[2] https://security-tracker.debian.org/tracker/CVE-2024-53863
https://www.cve.org/CVERecord?id=CVE-2024-53863
https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g
[3] https://security-tracker.debian.org/tracker/CVE-2024-53867
https://www.cve.org/CVERecord?id=CVE-2024-53867
https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: matrix-synapse
Source-Version: 1.121.0-1
This fixes as well a couple of CVEs TTBOMK, all covered by #1088995.
So closing manually now.
On Thu, Dec 12, 2024 at 09:36:42AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Thu, 12 Dec 2024 10:15:24 +0100
> Source: matrix-synapse
> Architecture: source
> Version: 1.121.0-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Matrix Packaging Team
> <pkg-matrix-maintain...@lists.alioth.debian.org>
> Changed-By: Antonio Russo <aeru...@aerusso.net>
> Changes:
> matrix-synapse (1.121.0-1) unstable; urgency=medium
> .
> * New upstream release.
> * Refresh patches.
> * Temporarily revert pyo3 version bump
> * Apply patches from the Twisted 24.11 compatibility upstream MR.
> Checksums-Sha1:
> f116c4ea81f491cf7c082fb628547a2abf865b36 3876 matrix-synapse_1.121.0-1.dsc
> f41e80084a3356e73b08e7763d834e7668e4db48 8830114
> matrix-synapse_1.121.0.orig.tar.gz
> 7e9a11dcd65e1ef6114c229234c37cd3533f0ae4 640148
> matrix-synapse_1.121.0-1.debian.tar.xz
> Checksums-Sha256:
> cb52944a97e80dc20d14e51ab18edc700c960754a1773de5584707637e8e94d1 3876
> matrix-synapse_1.121.0-1.dsc
> 62490196ef6b972df8ea4093121848ebe675f8255f02be2e207221644f296082 8830114
> matrix-synapse_1.121.0.orig.tar.gz
> fe67d45bc71eebf1c4264975d7da47651f130167515b5b8fdf1c7ac9345d2e02 640148
> matrix-synapse_1.121.0-1.debian.tar.xz
> Files:
> db4cc0d3ddc5c8592fe5f3b73b780c24 3876 net optional
> matrix-synapse_1.121.0-1.dsc
> ca3b0935b09bd6f6a660bdfacfae7d2b 8830114 net optional
> matrix-synapse_1.121.0.orig.tar.gz
> 9c7a41dd7866bf14a0290fa0568c5c06 640148 net optional
> matrix-synapse_1.121.0-1.debian.tar.xz
>
> -----BEGIN PGP SIGNATURE-----
>
> iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZ1qq0QAKCRDoRGtKyMdy
> YU0LAQCphQ/LTf/KE6trBduhMiFMGih3jo1o4lji2YPTmBfqywEA+7F5jYGJlkIW
> drWlFapWdhzFms2wSdcCjwHUHzrNAAQ=
> =0E2a
> -----END PGP SIGNATURE-----
>
--- End Message ---
