Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 916609 (CVE-2023-43796, CVE-2023-45129) - <net-im/synapse-1.96.0: Leak of remote user device information
Summary: <net-im/synapse-1.96.0: Leak of remote user device information
Alias: CVE-2023-43796, CVE-2023-45129
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+]
Keywords: PullRequest
Depends on: 919062
  Show dependency tree
Reported: 2023-11-01 07:32 UTC by Petr Vaněk
Modified: 2024-01-07 10:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Petr Vaněk gentoo-dev 2023-11-01 07:32:38 UTC
GHSA-mp92-3jfm-3575 / CVE-2023-43796 — Moderate Severity

Cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver.
Comment 1 Larry the Git Cow gentoo-dev 2023-11-17 11:09:19 UTC
The bug has been referenced in the following commit(s):

commit 9fb805c997a284706c5cc3c2cb53a920969d0094
Author:     Petr Vaněk <>
AuthorDate: 2023-11-17 09:05:55 +0000
Commit:     Sam James <>
CommitDate: 2023-11-17 11:07:52 +0000

    net-im/synapse: add 1.96.0
    Signed-off-by: Petr Vaněk <>
    Signed-off-by: Sam James <>

 net-im/synapse/Manifest              |   3 +
 net-im/synapse/synapse-1.96.0.ebuild | 210 +++++++++++++++++++++++++++++++++++
 2 files changed, 213 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-28 19:12:00 UTC
CVE-2023-45129 (

Synapse is an open-source Matrix homeserver written and maintained by the Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.

This one fixed in 1.94.0.
Comment 3 Larry the Git Cow gentoo-dev 2023-12-02 21:22:43 UTC
The bug has been referenced in the following commit(s):

commit fac4d05cd64b3cea825d9c1e6707bbad389abf48
Author:     Petr Vaněk <>
AuthorDate: 2023-12-02 21:21:38 +0000
Commit:     Petr Vaněk <>
CommitDate: 2023-12-02 21:21:38 +0000

    net-im/synapse: drop 1.93.0-r1, 1.95.0-r1
    Signed-off-by: Petr Vaněk <>

 net-im/synapse/Manifest                 |  16 ---
 net-im/synapse/synapse-1.93.0-r1.ebuild | 211 --------------------------------
 net-im/synapse/synapse-1.95.0-r1.ebuild | 210 -------------------------------
 3 files changed, 437 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2024-01-07 10:31:59 UTC
The bug has been referenced in the following commit(s):

commit 17e2b155a748af5cd1276229d389b4641fec18c7
Author:     GLSAMaker <>
AuthorDate: 2024-01-07 10:31:28 +0000
Commit:     Hans de Graaff <>
CommitDate: 2024-01-07 10:31:54 +0000

    [ GLSA 202401-12 ] Synapse: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Hans de Graaff <>

 glsa-202401-12.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)