Accepting request 933284 from home:darix:apps
- Update to 1.47.1 This release fixes a security issue in the media store, affecting all prior releases of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild. Server administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below. - Security Advisory: GHSA-3hfw-x7gx-437c / CVE-2021-41281: Path traversal when downloading remote media. Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory, potentially outside the media store directory. The last two directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers configured with a federation whitelist are also unaffected. Fixed by 91f2bd090. OBS-URL: https://build.opensuse.org/request/show/933284 OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=198
This commit is contained in:
parent
64b6a1702e
commit
fdd3a7f61a
2
_service
2
_service
@ -4,7 +4,7 @@
|
||||
<param name="versionformat">@PARENT_TAG@</param>
|
||||
<param name="url">https://github.com/matrix-org/synapse.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="revision">v1.47.0</param>
|
||||
<param name="revision">v1.47.1</param>
|
||||
<param name="versionrewrite-pattern">v(.*)</param>
|
||||
<param name="versionrewrite-replacement">\1</param>
|
||||
<!--
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:ce0430826c5f9d410b138474e8d0ce4364e912a53a7e02da0ed6e04ca30e0a11
|
||||
size 31602701
|
3
matrix-synapse-1.47.1.obscpio
Normal file
3
matrix-synapse-1.47.1.obscpio
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:ac8181c560c5aeeb7d8cd4985fa67d156d253667b427f7eaf315501100798934
|
||||
size 31620109
|
@ -27,7 +27,7 @@
|
||||
|
||||
%define pkgname matrix-synapse
|
||||
Name: %{pkgname}-test
|
||||
Version: 1.47.0
|
||||
Version: 1.47.1
|
||||
Release: 0
|
||||
Summary: Test package for %{pkgname}
|
||||
License: Apache-2.0
|
||||
|
@ -1,3 +1,28 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 23 14:45:19 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
||||
|
||||
- Update to 1.47.1
|
||||
This release fixes a security issue in the media store, affecting
|
||||
all prior releases of Synapse. Server administrators are
|
||||
encouraged to update Synapse as soon as possible. We are not
|
||||
aware of these vulnerabilities being exploited in the wild.
|
||||
Server administrators who are unable to update Synapse may use
|
||||
the workarounds described in the linked GitHub Security Advisory
|
||||
below.
|
||||
|
||||
- Security Advisory:
|
||||
GHSA-3hfw-x7gx-437c / CVE-2021-41281: Path traversal when
|
||||
downloading remote media.
|
||||
Synapse instances with the media repository enabled can be
|
||||
tricked into downloading a file from a remote server into an
|
||||
arbitrary directory, potentially outside the media store
|
||||
directory. The last two directories and file name of the path
|
||||
are chosen randomly by Synapse and cannot be controlled by an
|
||||
attacker, which limits the impact. Homeservers with the media
|
||||
repository disabled are unaffected. Homeservers configured with
|
||||
a federation whitelist are also unaffected. Fixed by
|
||||
91f2bd090.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 17 14:19:53 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
name: matrix-synapse
|
||||
version: 1.47.0
|
||||
mtime: 1637154612
|
||||
commit: 9f9d82aa846332189e818f51d49daf2335780014
|
||||
version: 1.47.1
|
||||
mtime: 1637347213
|
||||
commit: 8fa83999d688bb4c1747f2237002422e566e085f
|
||||
|
||||
|
@ -47,7 +47,7 @@
|
||||
%define pkgname matrix-synapse
|
||||
%define eggname matrix_synapse
|
||||
Name: %{pkgname}
|
||||
Version: 1.47.0
|
||||
Version: 1.47.1
|
||||
Release: 0
|
||||
Summary: Matrix protocol reference homeserver
|
||||
License: Apache-2.0
|
||||
|
Loading…
Reference in New Issue
Block a user