GHSA-4f74-84v3-j9q5 / CVE-2023-41335 - Low Severity Temporary storage of plaintext passwords during password changes: When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration. These temporarily stored passwords are automatically erased after a 48-hour window. GHSA-7565-cq32-vx2x / CVE-2023-42453 - Low Severity Improper validation of receipts allows forged read receipts: Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This could be confusing as clients will show the event as read by the user, even if they are not in the room.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fac914d542d409b61503fb44d4a55713632de066 commit fac914d542d409b61503fb44d4a55713632de066 Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2023-09-26 20:39:03 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-26 20:44:35 +0000 net-im/synapse: drop 1.88.0 Bug: https://bugs.gentoo.org/914765 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Closes: https://github.com/gentoo/gentoo/pull/33076 Signed-off-by: Sam James <sam@gentoo.org> net-im/synapse/Manifest | 10 -- net-im/synapse/synapse-1.88.0.ebuild | 210 ----------------------------------- 2 files changed, 220 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a3c6a063d96b19d670055e4475337a400d4f3f6 commit 1a3c6a063d96b19d670055e4475337a400d4f3f6 Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2023-09-26 20:18:53 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-26 20:44:35 +0000 net-im/synapse: add 1.93.0 Upstream has set a restriction on pillow to be >=10.0.1 due to libwebp CVE-2023-4863. While they mention the possibility of lowering the restriction to >=5.4.0 if the issue is addressed downstream (which we have done), it seems to be unnecessary since we already have the pillow-10 line stabilized. Bug: https://bugs.gentoo.org/914765 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Signed-off-by: Sam James <sam@gentoo.org> net-im/synapse/Manifest | 5 + net-im/synapse/synapse-1.93.0.ebuild | 210 +++++++++++++++++++++++++++++++++++ 2 files changed, 215 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c559bb7c5683fd991d317ca697c899915619423 commit 7c559bb7c5683fd991d317ca697c899915619423 Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2023-10-19 15:48:51 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-27 02:53:12 +0000 net-im/synapse: drop 1.90.0, 1.92.2 Bug: https://bugs.gentoo.org/914765 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Signed-off-by: Sam James <sam@gentoo.org> net-im/synapse/Manifest | 14 --- net-im/synapse/synapse-1.90.0.ebuild | 210 ----------------------------------- net-im/synapse/synapse-1.92.2.ebuild | 210 ----------------------------------- 3 files changed, 434 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=17e2b155a748af5cd1276229d389b4641fec18c7 commit 17e2b155a748af5cd1276229d389b4641fec18c7 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-07 10:31:28 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-07 10:31:54 +0000 [ GLSA 202401-12 ] Synapse: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/914765 Bug: https://bugs.gentoo.org/916609 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-12.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)
