Accepting request 985628 from network:messaging:matrix

OBS-URL: https://build.opensuse.org/request/show/985628
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/matrix-synapse?expand=0&rev=65

_service

@@ -4,7 +4,7 @@
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="url">https://github.com/matrix-org/synapse.git</param>
     <param name="scm">git</param>
-    <param name="revision">v1.61.0</param>
+    <param name="revision">v1.61.1</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="versionrewrite-replacement">\1</param>
     <!--

matrix-synapse-1.61.0.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d29e69b36fb0c89d8cf2bb5ee6bedf120d63487c8eac277f6a416133449442a4
-size 33012749

matrix-synapse-1.61.1.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8ab462f59d05c7dd2d034318c1902447df78b4f4cec516ecfca1734e586a51bd
+size 33015821

matrix-synapse-test.spec

@@ -27,7 +27,7 @@
 
 %define         pkgname matrix-synapse
 Name:           %{pkgname}-test
-Version:        1.61.0
+Version:        1.61.1
 Release:        0
 Summary:        Test package for %{pkgname}
 License:        Apache-2.0

matrix-synapse.changes

@@ -1,3 +1,42 @@
+-------------------------------------------------------------------
+Tue Jun 28 15:55:03 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.61.1
+  This patch release fixes a security issue regarding URL previews,
+  affecting all prior versions of Synapse. Server administrators
+  are encouraged to update Synapse as soon as possible. We are not
+  aware of these vulnerabilities being exploited in the wild.
+
+  Server administrators who are unable to update Synapse may use
+  the workarounds described in the linked GitHub Security Advisory
+  below.
+
+  The following issue is fixed in 1.61.1.
+
+  GHSA-22p3-qrh9-cx32 / CVE-2022-31052
+
+  Synapse instances with the url_preview_enabled homeserver config
+  option set to true are affected. URL previews of some web pages
+  can lead to unbounded recursion, causing the request to either
+  fail, or in some cases crash the running Synapse process.
+
+  Requesting URL previews requires authentication. Nevertheless, it
+  is possible to exploit this maliciously, either by malicious
+  users on the homeserver, or by remote users sending URLs that a
+  local user's client may automatically request a URL preview for.
+
+  Homeservers with the url_preview_enabled configuration option set
+  to false (the default) are unaffected. Instances with the
+  enable_media_repo configuration option set to false are also
+  unaffected, as this also disables URL preview functionality.
+
+  Fixed by fa1308061802ac7b7d20e954ba7372c5ac292333.
+
+-------------------------------------------------------------------
+Fri Jun 17 10:00:40 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
+
+- force python 3.10 on TW
+
 -------------------------------------------------------------------
 Tue Jun 14 15:39:50 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
 

matrix-synapse.obsinfo

@@ -1,4 +1,4 @@
 name: matrix-synapse
-version: 1.61.0
+version: 1.61.1
-mtime: 1655204205
+mtime: 1656423666
-commit: b8bf61230c0d51231429b2d15973a8fd1cd76906
+commit: 09d89ddc1f875bb1ea835a7614980787d4ebd043

matrix-synapse.spec

@@ -140,14 +140,14 @@
 #define use_python python38
 #define __python3 #{_bindir}/python3
 #else
-%define use_python python3
+%define use_python python310
 #endif
 
 %define         modname synapse
 %define         pkgname matrix-synapse
 %define         eggname matrix_synapse
 Name:           %{pkgname}
-Version:        1.61.0
+Version:        1.61.1
 Release:        0
 Summary:        Matrix protocol reference homeserver
 License:        Apache-2.0