A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in how the auth chain cover index is calculated. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=123715b98768e9091423aa406d1d4bf326533562 commit 123715b98768e9091423aa406d1d4bf326533562 Author: Joe Kappus <joe@wt.gd> AuthorDate: 2024-04-23 18:30:33 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-04-23 20:42:40 +0000 net-im/synapse: add 1.105.1 Bug: https://bugs.gentoo.org/930514 Signed-off-by: Joe Kappus <joe@wt.gd> Closes: https://github.com/gentoo/gentoo/pull/36378 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> net-im/synapse/Manifest | 1 + net-im/synapse/synapse-1.105.1.ebuild | 211 ++++++++++++++++++++++++++++++++++ 2 files changed, 212 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=086702e62705a7306a93eebaa40f257e41550a5c commit 086702e62705a7306a93eebaa40f257e41550a5c Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-04-26 15:34:01 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-04-26 15:36:23 +0000 net-im/synapse: drop 1.103.0, 1.104.0, 1.105.0 Bug: https://bugs.gentoo.org/930514 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> net-im/synapse/Manifest | 15 -- .../files/synapse-1.101.0-netaddr-tests.patch | 33 ---- net-im/synapse/synapse-1.103.0.ebuild | 215 --------------------- net-im/synapse/synapse-1.104.0.ebuild | 211 -------------------- net-im/synapse/synapse-1.105.0.ebuild | 211 -------------------- 5 files changed, 685 deletions(-)