GHSA-mp92-3jfm-3575 / CVE-2023-43796 — Moderate Severity Cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fb805c997a284706c5cc3c2cb53a920969d0094 commit 9fb805c997a284706c5cc3c2cb53a920969d0094 Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2023-11-17 09:05:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-11-17 11:07:52 +0000 net-im/synapse: add 1.96.0 Bug: https://bugs.gentoo.org/916609 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Closes: https://github.com/gentoo/gentoo/pull/33616 Signed-off-by: Sam James <sam@gentoo.org> net-im/synapse/Manifest | 3 + net-im/synapse/synapse-1.96.0.ebuild | 210 +++++++++++++++++++++++++++++++++++ 2 files changed, 213 insertions(+)
CVE-2023-45129 (https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4): Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API. This one fixed in 1.94.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fac4d05cd64b3cea825d9c1e6707bbad389abf48 commit fac4d05cd64b3cea825d9c1e6707bbad389abf48 Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2023-12-02 21:21:38 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2023-12-02 21:21:38 +0000 net-im/synapse: drop 1.93.0-r1, 1.95.0-r1 Bug: https://bugs.gentoo.org/916609 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> net-im/synapse/Manifest | 16 --- net-im/synapse/synapse-1.93.0-r1.ebuild | 211 -------------------------------- net-im/synapse/synapse-1.95.0-r1.ebuild | 210 ------------------------------- 3 files changed, 437 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=17e2b155a748af5cd1276229d389b4641fec18c7 commit 17e2b155a748af5cd1276229d389b4641fec18c7 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-07 10:31:28 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-07 10:31:54 +0000 [ GLSA 202401-12 ] Synapse: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/914765 Bug: https://bugs.gentoo.org/916609 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-12.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)
