pool/matrix-synapse
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 985625 from home:darix:apps

Browse Source 
- Update to 1.61.1
  This patch release fixes a security issue regarding URL previews,
  affecting all prior versions of Synapse. Server administrators
  are encouraged to update Synapse as soon as possible. We are not
  aware of these vulnerabilities being exploited in the wild.
  Server administrators who are unable to update Synapse may use
  the workarounds described in the linked GitHub Security Advisory
  below.
  The following issue is fixed in 1.61.1.
  GHSA-22p3-qrh9-cx32 / CVE-2022-31052
  Synapse instances with the url_preview_enabled homeserver config
  option set to true are affected. URL previews of some web pages
  can lead to unbounded recursion, causing the request to either
  fail, or in some cases crash the running Synapse process.
  Requesting URL previews requires authentication. Nevertheless, it
  is possible to exploit this maliciously, either by malicious
  users on the homeserver, or by remote users sending URLs that a
  local user's client may automatically request a URL preview for.
  Homeservers with the url_preview_enabled configuration option set
  to false (the default) are unaffected. Instances with the
  enable_media_repo configuration option set to false are also
  unaffected, as this also disables URL preview functionality.
  Fixed by fa1308061802ac7b7d20e954ba7372c5ac292333.

- force python 3.10 on TW

OBS-URL: https://build.opensuse.org/request/show/985625
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=228
This commit is contained in:
Oliver Kurz 2022-06-28 16:33:36 +00:00 committed by Git OBS Bridge
parent 40ed31c414
commit c44471789a
7 changed files with 49 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_service
View File

@ -4,7 +4,7 @@
<param name="versionformat">@PARENT_TAG@</param>
<param name="url">https://github.com/matrix-org/synapse.git</param>
<param name="scm">git</param>
<param name="revision">v1.61.0</param>
<param name="revision">v1.61.1</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="versionrewrite-replacement">\1</param>
<!--

3
matrix-synapse-1.61.0.obscpio
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d29e69b36fb0c89d8cf2bb5ee6bedf120d63487c8eac277f6a416133449442a4
size 33012749

3
matrix-synapse-1.61.1.obscpio Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8ab462f59d05c7dd2d034318c1902447df78b4f4cec516ecfca1734e586a51bd
size 33015821

2
matrix-synapse-test.spec
View File

@ -27,7 +27,7 @@
%define pkgname matrix-synapse
Name: %{pkgname}-test
Version: 1.61.0
Version: 1.61.1
Release: 0
Summary: Test package for %{pkgname}
License: Apache-2.0

39
matrix-synapse.changes
View File

@ -1,3 +1,42 @@
-------------------------------------------------------------------
Tue Jun 28 15:55:03 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.61.1
This patch release fixes a security issue regarding URL previews,
affecting all prior versions of Synapse. Server administrators
are encouraged to update Synapse as soon as possible. We are not
aware of these vulnerabilities being exploited in the wild.
Server administrators who are unable to update Synapse may use
the workarounds described in the linked GitHub Security Advisory
below.
The following issue is fixed in 1.61.1.
GHSA-22p3-qrh9-cx32 / CVE-2022-31052
Synapse instances with the url_preview_enabled homeserver config
option set to true are affected. URL previews of some web pages
can lead to unbounded recursion, causing the request to either
fail, or in some cases crash the running Synapse process.
Requesting URL previews requires authentication. Nevertheless, it
is possible to exploit this maliciously, either by malicious
users on the homeserver, or by remote users sending URLs that a
local user's client may automatically request a URL preview for.
Homeservers with the url_preview_enabled configuration option set
to false (the default) are unaffected. Instances with the
enable_media_repo configuration option set to false are also
unaffected, as this also disables URL preview functionality.
Fixed by fa1308061802ac7b7d20e954ba7372c5ac292333.
-------------------------------------------------------------------
Fri Jun 17 10:00:40 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
- force python 3.10 on TW
-------------------------------------------------------------------
Tue Jun 14 15:39:50 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>

6
matrix-synapse.obsinfo
View File

@ -1,4 +1,4 @@
name: matrix-synapse
version: 1.61.0
mtime: 1655204205
commit: b8bf61230c0d51231429b2d15973a8fd1cd76906
version: 1.61.1
mtime: 1656423666
commit: 09d89ddc1f875bb1ea835a7614980787d4ebd043

4
matrix-synapse.spec
View File

@ -140,14 +140,14 @@
#define use_python python38
#define __python3 #{_bindir}/python3
#else
%define use_python python3
%define use_python python310
#endif
%define modname synapse
%define pkgname matrix-synapse
%define eggname matrix_synapse
Name: %{pkgname}
Version: 1.61.0
Version: 1.61.1
Release: 0
Summary: Matrix protocol reference homeserver
License: Apache-2.0