Marcus Rueckert
fdd3a7f61a
- Update to 1.47.1
This release fixes a security issue in the media store, affecting
all prior releases of Synapse. Server administrators are
encouraged to update Synapse as soon as possible. We are not
aware of these vulnerabilities being exploited in the wild.
Server administrators who are unable to update Synapse may use
the workarounds described in the linked GitHub Security Advisory
below.
- Security Advisory:
GHSA-3hfw-x7gx-437c / CVE-2021-41281: Path traversal when
downloading remote media.
Synapse instances with the media repository enabled can be
tricked into downloading a file from a remote server into an
arbitrary directory, potentially outside the media store
directory. The last two directories and file name of the path
are chosen randomly by Synapse and cannot be controlled by an
attacker, which limits the impact. Homeservers with the media
repository disabled are unaffected. Homeservers configured with
a federation whitelist are also unaffected. Fixed by
91f2bd090.
OBS-URL: https://build.opensuse.org/request/show/933284
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=198
|
||
|---|---|---|
| _service | ||
| .gitattributes | ||
| .gitignore | ||
| 10719-Fix-instert-of-duplicate-key-into-event_json.patch | ||
| dont-bump-cryptography-with-system-openssl.patch | ||
| matrix-synapse-1.4.1-paths.patch | ||
| matrix-synapse-1.47.1.obscpio | ||
| matrix-synapse-generate-config.sh | ||
| matrix-synapse-test.spec | ||
| matrix-synapse-user.conf | ||
| matrix-synapse.changes | ||
| matrix-synapse.obsinfo | ||
| matrix-synapse.service | ||
| matrix-synapse.spec | ||
| matrix-synapse.tmpfiles.d | ||
| README.SUSE | ||
| series | ||
README.SUSE ------------- Bootstrapping a server ======================== /usr/sbin/matrix-synapse-generate-config servername