Accepting request 1228089 from network:messaging:matrix

Forwarded request #1228088 from darix - Update to 1.120.2 (boo#1234110) OBS-URL: https://build.opensuse.org/request/show/1228089 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/matrix-synapse?expand=0&rev=116
2024-12-04 14:26:55 +00:00 · 2024-12-04 14:26:55 +00:00 · 423a198e24
commit 423a198e24
parent 5142e4b77e e764601768
8 changed files with 66 additions and 11 deletions
--- a/2
+++ b/2
@ -4,7 +4,7 @@
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="url">https://github.com/element-hq/synapse.git</param>
    <param name="scm">git</param>
-    <param name="revision">v1.120.0</param>
+    <param name="revision">v1.120.2</param>
    <param name="versionrewrite-pattern">v(.*)</param>
    <param name="versionrewrite-replacement">\1</param>
    <!--
--- a/matrix-synapse-1.120.0.obscpio
+++ b/matrix-synapse-1.120.0.obscpio
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c74ce7fab82f4a3634b3bde389eb544db2cc387f5e51e005aa024d506a94a0b8
-size 38536717
--- a/matrix-synapse-1.120.2.obscpio
+++ b/matrix-synapse-1.120.2.obscpio
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9076a1d125283e1dea531ac2ad1a871858e39aebaad1c14adaec96576dc25e0c
+size 38553101
--- a/matrix-synapse-test.spec
+++ b/matrix-synapse-test.spec
@ -27,7 +27,7 @@

 %define         pkgname matrix-synapse
 Name:           %{pkgname}-test
-Version:        1.120.0
+Version:        1.120.2
 Release:        0
 Summary:        Test package for %{pkgname}
 License:        AGPL-3.0-or-later
--- a/matrix-synapse.changes
+++ b/matrix-synapse.changes
@ -1,3 +1,58 @@
+-------------------------------------------------------------------
+Tue Dec  3 17:13:57 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.120.2 (boo#1234110)
+  This patch release fixes multiple security vulnerabilities, some
+  affecting all prior versions of Synapse. Server administrators
+  are encouraged to update Synapse as soon as possible. We are not
+  aware of these vulnerabilities being exploited in the wild.
+
+  Administrators who are unable to update Synapse may use the
+  workarounds described in the linked GitHub Security Advisory
+  below.
+
+  - Security advisory
+    The following issues are fixed in 1.120.1.
+    - GHSA-rfq8-j7rh-8hf2 / CVE-2024-52805 (high): Unsupported
+      content types can lead to memory exhaustion
+      Synapse instances which have a high max_upload_size and which
+      don't have a reverse proxy in front of them that would
+      otherwise limit upload size are affected.
+      Fixed by 4b7154c58501b4bf5e1c2d6c11ebef96529f2fdf.
+    - GHSA-f3r3-h2mq-hx2h / CVE-2024-52815 (high): Malicious
+      invites via federation can break a user's sync
+      Fixed by d82e1ed357b7ee21dff83d06cba7a67840cfd464.
+    - GHSA-vp6v-whfm-rv3g / CVE-2024-53863 (high): Synapse can be
+      forced to thumbnail unexpected file formats, invoking
+      potentially untrustworthy decoders
+      Synapse instances can disable dynamic thumbnailing by setting
+      dynamic_thumbnails to false in the configuration file.
+      Fixed by b64a4e5fbbbf119b6c65aedf0d999b4237d55503.
+    - GHSA-56w4-5538-8v8h / CVE-2024-53867 (moderate): The Sliding
+      Sync feature on Synapse versions between 1.113.0rc1 and
+      1.120.0 can leak partial room state changes to users no
+      longer in a room
+      Non-state events, like messages, are unaffected.
+      Synapse instances can disable the Sliding Sync feature by
+      setting experimental_features.msc3575_enabled to false in the
+      configuration file.
+      Fixed by 4daa533e82f345ce87b9495d31781af570ba3ead.
+
+  Additionally, we disclose the following vulnerabilities, both
+  have been fixed in Synapse 1.106.0:
+
+  - GHSA-4mhg-xv73-xq2x / CVE-2024-37302 (high): Denial of service
+    through media disk space consumption
+  - GHSA-gjgr-7834-rhxr / CVE-2024-37303 (moderate):
+    Unauthenticated writes to the media repository allow planting
+    of problematic content
+
+  See the advisories for more details. If you have any questions,
+  email security at element.io.
+
+  - Bug fixes
+    - Fix release process to not create duplicate releases. (#17970)
+
 -------------------------------------------------------------------
 Tue Nov 26 14:22:09 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>

--- a/matrix-synapse.obsinfo
+++ b/matrix-synapse.obsinfo
@ -1,4 +1,4 @@
 name: matrix-synapse
-version: 1.120.0
-mtime: 1732626672
-commit: 8c653e1dd6c8f18f2f9e2d78d37877a70dba1b2d
+version: 1.120.2
+mtime: 1733241520
+commit: 6f689d452c5632df558e76bc5a24111e555a3c8a
--- a/matrix-synapse.spec
+++ b/matrix-synapse.spec
@ -154,7 +154,7 @@
 %define         pkgname matrix-synapse
 %define         eggname matrix_synapse
 Name:           %{pkgname}
-Version:        1.120.0
+Version:        1.120.2
 Release:        0
 Summary:        Matrix protocol reference homeserver
 License:        AGPL-3.0-or-later
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:404067764d8166f18d9ad68c91532cd07df278f4e57f756b6e75f6d16b9c6bd6
-size 7156346
+oid sha256:761c8237499e33695ef7b70e81f01f59565df51cbed197022ea79bd2220020f1
+size 7163969