Accepting request 933284 from home:darix:apps
- Update to 1.47.1
This release fixes a security issue in the media store, affecting
all prior releases of Synapse. Server administrators are
encouraged to update Synapse as soon as possible. We are not
aware of these vulnerabilities being exploited in the wild.
Server administrators who are unable to update Synapse may use
the workarounds described in the linked GitHub Security Advisory
below.
- Security Advisory:
GHSA-3hfw-x7gx-437c / CVE-2021-41281: Path traversal when
downloading remote media.
Synapse instances with the media repository enabled can be
tricked into downloading a file from a remote server into an
arbitrary directory, potentially outside the media store
directory. The last two directories and file name of the path
are chosen randomly by Synapse and cannot be controlled by an
attacker, which limits the impact. Homeservers with the media
repository disabled are unaffected. Homeservers configured with
a federation whitelist are also unaffected. Fixed by
91f2bd090.
OBS-URL: https://build.opensuse.org/request/show/933284
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=198
This commit is contained in:
Git OBS Bridge
parent
64b6a1702e
commit
fdd3a7f61a
2
_service
2
_service
@ -4,7 +4,7 @@
|
|||||||
<param name="versionformat">@PARENT_TAG@</param>
|
<param name="versionformat">@PARENT_TAG@</param>
|
||||||
<param name="url">https://github.com/matrix-org/synapse.git</param>
|
<param name="url">https://github.com/matrix-org/synapse.git</param>
|
||||||
<param name="scm">git</param>
|
<param name="scm">git</param>
|
||||||
<param name="revision">v1.47.0</param>
|
<param name="revision">v1.47.1</param>
|
||||||
<param name="versionrewrite-pattern">v(.*)</param>
|
<param name="versionrewrite-pattern">v(.*)</param>
|
||||||
<param name="versionrewrite-replacement">\1</param>
|
<param name="versionrewrite-replacement">\1</param>
|
||||||
<!--
|
<!--
|
||||||
|
|||||||
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:ce0430826c5f9d410b138474e8d0ce4364e912a53a7e02da0ed6e04ca30e0a11
|
|
||||||
size 31602701
|
|
||||||
3
matrix-synapse-1.47.1.obscpio
Normal file
3
matrix-synapse-1.47.1.obscpio
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:ac8181c560c5aeeb7d8cd4985fa67d156d253667b427f7eaf315501100798934
|
||||||
|
size 31620109
|
||||||
@ -27,7 +27,7 @@
|
|||||||
|
|
||||||
%define pkgname matrix-synapse
|
%define pkgname matrix-synapse
|
||||||
Name: %{pkgname}-test
|
Name: %{pkgname}-test
|
||||||
Version: 1.47.0
|
Version: 1.47.1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Test package for %{pkgname}
|
Summary: Test package for %{pkgname}
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
|
|||||||
@ -1,3 +1,28 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 23 14:45:19 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
||||||
|
|
||||||
|
- Update to 1.47.1
|
||||||
|
This release fixes a security issue in the media store, affecting
|
||||||
|
all prior releases of Synapse. Server administrators are
|
||||||
|
encouraged to update Synapse as soon as possible. We are not
|
||||||
|
aware of these vulnerabilities being exploited in the wild.
|
||||||
|
Server administrators who are unable to update Synapse may use
|
||||||
|
the workarounds described in the linked GitHub Security Advisory
|
||||||
|
below.
|
||||||
|
|
||||||
|
- Security Advisory:
|
||||||
|
GHSA-3hfw-x7gx-437c / CVE-2021-41281: Path traversal when
|
||||||
|
downloading remote media.
|
||||||
|
Synapse instances with the media repository enabled can be
|
||||||
|
tricked into downloading a file from a remote server into an
|
||||||
|
arbitrary directory, potentially outside the media store
|
||||||
|
directory. The last two directories and file name of the path
|
||||||
|
are chosen randomly by Synapse and cannot be controlled by an
|
||||||
|
attacker, which limits the impact. Homeservers with the media
|
||||||
|
repository disabled are unaffected. Homeservers configured with
|
||||||
|
a federation whitelist are also unaffected. Fixed by
|
||||||
|
91f2bd090.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Nov 17 14:19:53 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
Wed Nov 17 14:19:53 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
||||||
|
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
name: matrix-synapse
|
name: matrix-synapse
|
||||||
version: 1.47.0
|
version: 1.47.1
|
||||||
mtime: 1637154612
|
mtime: 1637347213
|
||||||
commit: 9f9d82aa846332189e818f51d49daf2335780014
|
commit: 8fa83999d688bb4c1747f2237002422e566e085f
|
||||||
|
|
||||||
|
|||||||
@ -47,7 +47,7 @@
|
|||||||
%define pkgname matrix-synapse
|
%define pkgname matrix-synapse
|
||||||
%define eggname matrix_synapse
|
%define eggname matrix_synapse
|
||||||
Name: %{pkgname}
|
Name: %{pkgname}
|
||||||
Version: 1.47.0
|
Version: 1.47.1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Matrix protocol reference homeserver
|
Summary: Matrix protocol reference homeserver
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user