From fdd3a7f61ae31f2767629f6b5e22c5813161d01f3079d9333d6a57b05d934563 Mon Sep 17 00:00:00 2001
From: Marcus Rueckert <mrueckert@suse.com>
Date: Tue, 23 Nov 2021 14:50:11 +0000
Subject: [PATCH] Accepting request 933284 from home:darix:apps

- Update to 1.47.1
  This release fixes a security issue in the media store, affecting
  all prior releases of Synapse. Server administrators are
  encouraged to update Synapse as soon as possible. We are not
  aware of these vulnerabilities being exploited in the wild.
  Server administrators who are unable to update Synapse may use
  the workarounds described in the linked GitHub Security Advisory
  below.
  - Security Advisory:
    GHSA-3hfw-x7gx-437c / CVE-2021-41281: Path traversal when
    downloading remote media.
    Synapse instances with the media repository enabled can be
    tricked into downloading a file from a remote server into an
    arbitrary directory, potentially outside the media store
    directory.  The last two directories and file name of the path
    are chosen randomly by Synapse and cannot be controlled by an
    attacker, which limits the impact.  Homeservers with the media
    repository disabled are unaffected. Homeservers configured with
    a federation whitelist are also unaffected.  Fixed by
    91f2bd090.

OBS-URL: https://build.opensuse.org/request/show/933284
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=198
---
 _service                      |  2 +-
 matrix-synapse-1.47.0.obscpio |  3 ---
 matrix-synapse-1.47.1.obscpio |  3 +++
 matrix-synapse-test.spec      |  2 +-
 matrix-synapse.changes        | 25 +++++++++++++++++++++++++
 matrix-synapse.obsinfo        |  6 +++---
 matrix-synapse.spec           |  2 +-
 7 files changed, 34 insertions(+), 9 deletions(-)
 delete mode 100644 matrix-synapse-1.47.0.obscpio
 create mode 100644 matrix-synapse-1.47.1.obscpio

diff --git a/_service b/_service
index 9c623fc..5fdd850 100644
--- a/_service
+++ b/_service
@@ -4,7 +4,7 @@
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="url">https://github.com/matrix-org/synapse.git</param>
     <param name="scm">git</param>
-    <param name="revision">v1.47.0</param>
+    <param name="revision">v1.47.1</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="versionrewrite-replacement">\1</param>
     <!--
diff --git a/matrix-synapse-1.47.0.obscpio b/matrix-synapse-1.47.0.obscpio
deleted file mode 100644
index 475e1b7..0000000
--- a/matrix-synapse-1.47.0.obscpio
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ce0430826c5f9d410b138474e8d0ce4364e912a53a7e02da0ed6e04ca30e0a11
-size 31602701
diff --git a/matrix-synapse-1.47.1.obscpio b/matrix-synapse-1.47.1.obscpio
new file mode 100644
index 0000000..20fe31b
--- /dev/null
+++ b/matrix-synapse-1.47.1.obscpio
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ac8181c560c5aeeb7d8cd4985fa67d156d253667b427f7eaf315501100798934
+size 31620109
diff --git a/matrix-synapse-test.spec b/matrix-synapse-test.spec
index f7673fb..834612d 100644
--- a/matrix-synapse-test.spec
+++ b/matrix-synapse-test.spec
@@ -27,7 +27,7 @@
 
 %define         pkgname matrix-synapse
 Name:           %{pkgname}-test
-Version:        1.47.0
+Version:        1.47.1
 Release:        0
 Summary:        Test package for %{pkgname}
 License:        Apache-2.0
diff --git a/matrix-synapse.changes b/matrix-synapse.changes
index 0afbe97..f6608ef 100644
--- a/matrix-synapse.changes
+++ b/matrix-synapse.changes
@@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Tue Nov 23 14:45:19 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.47.1
+  This release fixes a security issue in the media store, affecting
+  all prior releases of Synapse. Server administrators are
+  encouraged to update Synapse as soon as possible. We are not
+  aware of these vulnerabilities being exploited in the wild.
+  Server administrators who are unable to update Synapse may use
+  the workarounds described in the linked GitHub Security Advisory
+  below.
+
+  - Security Advisory:
+    GHSA-3hfw-x7gx-437c / CVE-2021-41281: Path traversal when
+    downloading remote media.
+    Synapse instances with the media repository enabled can be
+    tricked into downloading a file from a remote server into an
+    arbitrary directory, potentially outside the media store
+    directory.  The last two directories and file name of the path
+    are chosen randomly by Synapse and cannot be controlled by an
+    attacker, which limits the impact.  Homeservers with the media
+    repository disabled are unaffected. Homeservers configured with
+    a federation whitelist are also unaffected.  Fixed by
+    91f2bd090. 
+
 -------------------------------------------------------------------
 Wed Nov 17 14:19:53 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
 
diff --git a/matrix-synapse.obsinfo b/matrix-synapse.obsinfo
index 3e530a0..d056851 100644
--- a/matrix-synapse.obsinfo
+++ b/matrix-synapse.obsinfo
@@ -1,5 +1,5 @@
 name: matrix-synapse
-version: 1.47.0
-mtime: 1637154612
-commit: 9f9d82aa846332189e818f51d49daf2335780014
+version: 1.47.1
+mtime: 1637347213
+commit: 8fa83999d688bb4c1747f2237002422e566e085f
 
diff --git a/matrix-synapse.spec b/matrix-synapse.spec
index eab499a..a8a2c84 100644
--- a/matrix-synapse.spec
+++ b/matrix-synapse.spec
@@ -47,7 +47,7 @@
 %define         pkgname matrix-synapse
 %define         eggname matrix_synapse
 Name:           %{pkgname}
-Version:        1.47.0
+Version:        1.47.1
 Release:        0
 Summary:        Matrix protocol reference homeserver
 License:        Apache-2.0