907950 – (CVE-2023-32682, CVE-2023-32683) <net-im/synapse-1.85.2: Multiple vulnerabilities

Bug 907950 (CVE-2023-32682, CVE-2023-32683) - <net-im/synapse-1.85.2: Multiple vulnerabilities

Summary: <net-im/synapse-1.85.2: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2023-32682, CVE-2023-32683

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C4 [noglsa]
Keywords:	PullRequest, SECURITY

Depends on:	909325
Blocks:
	Show dependency tree

Reported:	2023-06-06 11:01 UTC by Petr Vaněk
Modified:	2023-07-13 03:37 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/31330 https://github.com/gentoo/gentoo/pull/31563
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Petr Vaněk gentoo-dev

2023-06-06 11:01:12 UTC

CVE-2023-32682 - Low Severity: It may be possible for a deactivated user to login when using uncommon configurations.

CVE-2023-32683 - Low Severity: A discovered oEmbed or image URL can bypass the url_preview_url_blacklist setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the url_preview_ip_range_blacklist setting (by default this only allows public IPs).

Comment 1 Larry the Git Cow gentoo-dev

2023-06-18 12:08:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f34d5e251d92564f22eddf926fc3a181fe89c5dd

commit f34d5e251d92564f22eddf926fc3a181fe89c5dd
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-06-07 13:07:49 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-06-18 12:08:16 +0000

    net-im/synapse: add 1.85.2
    
    - add two bdeps for testing of optional redis support
    
    Bug: https://bugs.gentoo.org/907950
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/31330
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-im/synapse/Manifest              |   2 +
 net-im/synapse/synapse-1.85.2.ebuild | 208 +++++++++++++++++++++++++++++++++++
 2 files changed, 210 insertions(+)

Comment 2 John Helmert III archtester

2023-06-19 03:09:30 UTC

Thanks for handling this!

Comment 3 Larry the Git Cow gentoo-dev

2023-07-12 07:00:19 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3331ce066a01b6814a294365bc1f1b2fa51df965

commit 3331ce066a01b6814a294365bc1f1b2fa51df965
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-06-28 14:26:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-07-12 06:59:34 +0000

    net-im/synapse: drop 1.82.0-r1, 1.83.0, 1.84.1
    
    Bug: https://bugs.gentoo.org/907950
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-im/synapse/Manifest                 |   7 --
 net-im/synapse/synapse-1.82.0-r1.ebuild | 204 -------------------------------
 net-im/synapse/synapse-1.83.0.ebuild    | 204 -------------------------------
 net-im/synapse/synapse-1.84.1.ebuild    | 206 --------------------------------
 4 files changed, 621 deletions(-)

Comment 4 John Helmert III archtester

2023-07-13 03:37:40 UTC

If noglsa, all done! Thanks!