Created attachment 200991 [details] patch to update net-im/py-matrix-synapse to 0.34.1.1 The synapse team just released 0.34.1.1, fixing CVE-2019-5885, see [1]. I've bumped the version, and some minor dependencies. I had to patch python_dependencies.py to avoid a version check against the prometheus library, as the version shipped w/ FreeBSD is more recent than the one officially supported by synapse. As a consequence, this update may break monitoring w/ prometheus as it renames some metrics exported by synapse w/ the old version, see [2]. This seems unavoidable however, as our synapse package is either broken or exports different metric names, hence I chose the lesser evil. In any case, the new version seems to work fine. We should probably update this asap and push it to the quarterly repos too. Cheers, Sascha [1] https://github.com/matrix-org/synapse/releases/tag/v0.34.1.1 [2] https://github.com/matrix-org/synapse/issues/4221
I can't seem to find enough information on this CVE to create a VuXML entry. Is the issue not public yet? Or can you point me at the info or write a VuXML entry?
(In reply to Steve Wills from comment #1) The CVE is not yet public, but will probably be at some point later today (according to communications w/ upstream). The only public information on this vulnerability is currently [1] afaik. I'll add a patch w/ a preliminary vuln.xml entry based on these facts (though I've never made one before, so I hope this turns out ok). Cheers, Sascha [1] https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1/
Created attachment 201133 [details] vuln.xml entry for py-matrix-synapse
A commit references this bug: Author: swills Date: Tue Jan 15 12:20:44 UTC 2019 New revision: 490365 URL: https://svnweb.freebsd.org/changeset/ports/490365 Log: Document py-matrix-synapse issue PR: 234828 Submitted by: Sascha Biberhofer <ports@skyforge.at> (with slight editing) Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: swills Date: Tue Jan 15 12:21:09 UTC 2019 New revision: 490366 URL: https://svnweb.freebsd.org/changeset/ports/490366 Log: net-im/py-matrix-synapse: update to 0.34.1.1, fix CVE-2019-5885 PR: 234828 Submitted by: Sascha Biberhofer <ports@skyforge.at> (maintainer) MFH: 2019Q1 Security: 383931ba-1818-11e9-92ea-448a5b29e8a9 Changes: head/net-im/py-matrix-synapse/Makefile head/net-im/py-matrix-synapse/distinfo head/net-im/py-matrix-synapse/files/patch-python_dependencies.py
A commit references this bug: Author: swills Date: Tue Jan 15 12:22:07 UTC 2019 New revision: 490367 URL: https://svnweb.freebsd.org/changeset/ports/490367 Log: MFH: r490366 net-im/py-matrix-synapse: update to 0.34.1.1, fix CVE-2019-5885 PR: 234828 Submitted by: Sascha Biberhofer <ports@skyforge.at> (maintainer) Security: 383931ba-1818-11e9-92ea-448a5b29e8a9 Approved by: ports-secteam (implicit) Changes: _U branches/2019Q1/ branches/2019Q1/net-im/py-matrix-synapse/Makefile branches/2019Q1/net-im/py-matrix-synapse/distinfo branches/2019Q1/net-im/py-matrix-synapse/files/patch-python_dependencies.py
Committed, thanks!