Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 907950 (CVE-2023-32682, CVE-2023-32683)

Summary: <net-im/synapse-1.85.2: Multiple vulnerabilities
Product: Gentoo Security Reporter: Petr Vaněk <arkamar>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: arkamar, proxy-maint
Priority: Normal Keywords: PullRequest, SECURITY
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/31330
https://github.com/gentoo/gentoo/pull/31563
Whiteboard: C4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 909325    
Bug Blocks:    

Description Petr Vaněk gentoo-dev 2023-06-06 11:01:12 UTC 
CVE-2023-32682 - Low Severity: It may be possible for a deactivated user to login when using uncommon configurations.

CVE-2023-32683 - Low Severity: A discovered oEmbed or image URL can bypass the url_preview_url_blacklist setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the url_preview_ip_range_blacklist setting (by default this only allows public IPs).
Comment 1 Larry the Git Cow gentoo-dev 2023-06-18 12:08:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f34d5e251d92564f22eddf926fc3a181fe89c5dd

commit f34d5e251d92564f22eddf926fc3a181fe89c5dd
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-06-07 13:07:49 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-06-18 12:08:16 +0000

    net-im/synapse: add 1.85.2
    
    - add two bdeps for testing of optional redis support
    
    Bug: https://bugs.gentoo.org/907950
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/31330
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-im/synapse/Manifest              |   2 +
 net-im/synapse/synapse-1.85.2.ebuild | 208 +++++++++++++++++++++++++++++++++++
 2 files changed, 210 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-19 03:09:30 UTC 
Thanks for handling this!
Comment 3 Larry the Git Cow gentoo-dev 2023-07-12 07:00:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3331ce066a01b6814a294365bc1f1b2fa51df965

commit 3331ce066a01b6814a294365bc1f1b2fa51df965
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-06-28 14:26:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-07-12 06:59:34 +0000

    net-im/synapse: drop 1.82.0-r1, 1.83.0, 1.84.1
    
    Bug: https://bugs.gentoo.org/907950
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-im/synapse/Manifest                 |   7 --
 net-im/synapse/synapse-1.82.0-r1.ebuild | 204 -------------------------------
 net-im/synapse/synapse-1.83.0.ebuild    | 204 -------------------------------
 net-im/synapse/synapse-1.84.1.ebuild    | 206 --------------------------------
 4 files changed, 621 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-07-13 03:37:40 UTC 
If noglsa, all done! Thanks!