Update to 1.11.0
Created attachment 211798 [details] patch
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/119937222
Hi! I think this update introduces a problem w/ the sqlite support, as is noticable when running the testsuit. According to upstream, it seems that synapse now relies on the json1 support within sqlite3. By default, however, the packaged version of sqlite3 in FreeBSD doesn't contain this support, which probably break synapse for anyone using synapse w/ an sqlite3 backend on FreeBSD. I'm not sure how to proceed from here. I can't, to the best of my knowledge, directly depend on a given option in a port. The only way to fix this might be to include the json1 option in sqlite3, for which I'll file a seperate bug report. I'm also in contact with upstream to see if and how we can resolve this any other way.
Created attachment 212130 [details] net-im/py-matrix-synapse: update to 1.11.1 (fixes security issue) In the meantime, the matrix developers have released version 1.11.1, an update which fixes a security vulnerability in synapse (see [1]). One should not that this vulnerability only affects users using SSO with synapse. I will probably write a vuxml entry for this tomorrow. The attached patch should bump our port to 1.11.1, but we still need an sqlite3 version supporting JSON1, otherwise the update breaks sqlite installations. [1] https://github.com/matrix-org/synapse/releases/tag/v1.11.1
Created attachment 212157 [details] vuxml entry for py-matrix-synapse versions prior to 1.11.1 Here's a vuxml entry for this issue.
A commit references this bug: Author: decke Date: Wed Mar 11 10:58:21 UTC 2020 New revision: 528227 URL: https://svnweb.freebsd.org/changeset/ports/528227 Log: Document py-matrix-synapse vulnerabilities PR: 244279 Submitted by: Sascha Biberhofer <ports@skyforge.at> Changes: head/security/vuxml/vuln.xml
Created attachment 213297 [details] net-im/py-matrix-synapse: Update to 1.12.3 After skipping on 1.12.0 due to problems in postgres-only configurations (see [1]), we've now reached 1.12.3. This version has worked fine on my server for the last few days and also works with the py-twisted version currently discussed in [2]. It should be noted that py-matrix-synapse is currently vulnerable to the request smuggling CVE contained in the old py-twisted version, as was mentioned in the release noted of synapse in [3]. This update is of course still blocked by the missing JSON1 option in sqlite, which has since been incorporated into [4]. [1] https://github.com/matrix-org/synapse/issues/7127 [2] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245252 [3] https://github.com/matrix-org/synapse/releases/tag/v1.12.0 [4] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243602
(In reply to Sascha Biberhofer from comment #7) If this change (matrix update), requires any of the other issues (bug 245252 bug 243602), please add them to the Depends On field
@Sascha Can you confirm - this version update can land independently from the twisted update in bug 245252, modulo the request smuggling vulnerability in the current version you mentioned in comment 7 - That this version is OK with the current version of Twisted in ports (I haven't had a chance to run through any requirements changes)
(In reply to Kubilay Kocak from comment #9) Sorry for the delay. The synapse update is completely independent of the updates in bug 245252 and bug 243602. This is particularly true for the py-twisted update, otherwise I'd have bumped the dependency requirements. :) We only depend on the JSON1 option of sqlite3 mention in bug 244366, so the "depends on" information is still accurate. However, as you've noted, we're still vulnerable to request smuggling without the py-twisted update. This is however a different issue and probably more suitably discussed in bug 245252, py-matrix-synapse 1.12.3 works with either version.
Thank you for the detail and confirmation. Danilo (dbaio) is taking care of QA'ing Firefox/Thunderbird with (only) JSOn1 enabled. We should be good to progress this and the dependent issue after that
A commit references this bug: Author: dbaio Date: Tue Apr 21 15:02:33 UTC 2020 New revision: 532273 URL: https://svnweb.freebsd.org/changeset/ports/532273 Log: net-im/py-matrix-synapse: Update to 1.12.3, Fixes security vulnerability Changelog: https://github.com/matrix-org/synapse/blob/v1.12.3/CHANGES.md PR: 244279 Submitted by: Sascha Biberhofer <ports@skyforge.at> (maintainer) Reported by: Alexander Sieg <ports@xanderio.de> MFH: 2020Q2 X-MFH-with: 532268 Security: 1afe9552-5ee3-11ea-9b6d-901b0e934d69 Changes: head/net-im/py-matrix-synapse/Makefile head/net-im/py-matrix-synapse/distinfo
A commit references this bug: Author: dbaio Date: Wed Apr 22 10:52:21 UTC 2020 New revision: 532465 URL: https://svnweb.freebsd.org/changeset/ports/532465 Log: MFH: r532273 net-im/py-matrix-synapse: Update to 1.12.3, Fixes security vulnerability Changelog: https://github.com/matrix-org/synapse/blob/v1.12.3/CHANGES.md PR: 244279 Submitted by: Sascha Biberhofer <ports@skyforge.at> (maintainer) Reported by: Alexander Sieg <ports@xanderio.de> X-MFH-with: 532268 Security: 1afe9552-5ee3-11ea-9b6d-901b0e934d69 Approved by: ports-secteam (joneum) Changes: _U branches/2020Q2/ branches/2020Q2/net-im/py-matrix-synapse/Makefile branches/2020Q2/net-im/py-matrix-synapse/distinfo
Committed, thank you all!