Created attachment 218006 [details] net-im/py-matrix-synapse: Update to 1.19.2 The synapse developers just released 1.19.2, fixing a bug in synapse's handling of certain events that may break federated rooms[1]. This patch bumps the version of synapse to 1.19.2 to fix these issues. portlint: "OK" (3 Warnings, none new) testport: OK (poudriere: 121amd64) do-test: OK (Ran 1142 tests in 417.952s, PASSED (skips=5, successes=1137)) Package seems to run fine on my server. I'll append a patch for the corresponding vuxml entry in the next message. :) Cheers, Sascha [1] https://github.com/matrix-org/synapse/releases/tag/v1.19.2
Created attachment 218007 [details] Add a vuxml entry for py-matrix-synapse 1.19.1 and below This is the corresponding vuln.xml entry, as best as I could create one from the commit.
*** Bug 249373 has been marked as a duplicate of this bug. ***
Hello. As I'm using Synapse at home too I'd like to ask a for a favor: 1. Please set "Importance" to "Affects some people". 2. Add "Keywords" "easy, patch-ready", can speed up things a lot. 3. As you are maintainer don't forget to approve patches/ticket. Without maintainer approval we are falling into long maintainer timeout period until someone will take a look. 4. If that's a security issue it probably should be propagated to quaterly replacing older vulnerable version there. Big thanks for porting Synapse!
(In reply to Volodymyr Kostyrko from comment #3) Thank you for the feedback! Ad 1 and 3: The last time I submitted an update, I set the importance to "affects some people" but it was downgraded to "affects only me" afterwards, so I'm not sure which level is appropriate here. Also, I've been told that the maintainer feedback flags are only meant to be used if the feedback has been explicitly requested for some reason, so I don't set them when I simply submit a bug. Ad 2: I'll add that, thank you :)
^Triage: Please set the maintainer-approval attachment flag (to +) on patches for ports you maintain to signify approval Attachment -> Details -> maintainer-approval [+]
Created attachment 218081 [details] net-im/py-matrix-synapse: Update to 1.19.3 The synapse developers have now released 1.19.3, containing an additonal bugfix for malformed events. I've updated that patch accordingly. The resulting port builds and tests just as fine as 1.19.2 did. portlint: "OK" (3 Warnings, none new) testport: OK (poudriere: 121amd64) do-test: OK (Ran 1142 tests in 417.952s, PASSED (skips=5, successes=1137)) There's a new release (1.20.0) planned for next week, which will contain these fixes as well as further feature updates. Is there anything else I can do to help this get merged? Cheers, Sascha
I think we don't need to merge it to the quarterly branch or add an entry to the vuxml, anyway thanks for that. Waiting for build tests.
A commit references this bug: Author: dbaio Date: Sat Sep 19 18:13:56 UTC 2020 New revision: 549046 URL: https://svnweb.freebsd.org/changeset/ports/549046 Log: net-im/py-matrix-synapse: Update to 1.19.3 Changelog: https://github.com/matrix-org/synapse/blob/v1.19.3/CHANGES.md PR: 249375 Submitted by: Sascha Biberhofer <ports@skyforge.at> (maintainer) Event: September 2020 Bugathon Changes: head/net-im/py-matrix-synapse/Makefile head/net-im/py-matrix-synapse/distinfo
Committed, thanks!
(In reply to Danilo G. Baio from comment #7) Out of curiosity, why not a vuxml entry?
(In reply to Denis Kasak from comment #10) Usually the project (matrix-org/synapse) documents its security issues, they didn't with this. "malformed events may prevent users from joining federated rooms" this looks like a simple bug to me. That's why I understood that there is no security implication here. I'm not a synapse user, so I can be wrong, and I'll be happy in push a vuxml entry, but we will need to improve that wording a little. Regards.
(In reply to Danilo G. Baio from comment #11) The security implication is that this is a classic DoS attack. An attacker sends a malformed event and breaks the application for other users, preventing them to join. Due to the federation, this is not limited to only the attacker's homeserver but to also all other participating homeservers in the room with the malformed event. It definitely seems like a security issue to me, but I'm curious to hear your opinion about it.
(In reply to Denis Kasak from comment #12) Thanks for the information, could you update the vuxml patch? If version 1.15.2 is affected, I'll ask for approval to merge this update (with the other ones) to the quarterly branch 2020Q3.
Created attachment 218143 [details] Updated vuxml entry for py-matrix-synapse 1.19.1 and below Here's an updated vuxml entry with a more detailed description. Sending as an ordinary diff instead of a git patch since I don't have a git clone of ports ready and it takes ages. (Is there already an official git mirror somewhere?) Let me know if there's anything else.
Comment on attachment 218143 [details] Updated vuxml entry for py-matrix-synapse 1.19.1 and below Hi, sorry for the slight delay here and thank you for clearing up the impact of the issue. Updated vuxml entry looks fine for me. :-)
A commit references this bug: Author: dbaio Date: Mon Sep 21 21:07:57 UTC 2020 New revision: 549530 URL: https://svnweb.freebsd.org/changeset/ports/549530 Log: security/vuxml: Document net-im/py-matrix-synapse issue PR: 249375 Submitted by: Denis Kasak <dkasak@termina.org.uk> Submitted by: Sascha Biberhofer <ports@skyforge.at> (earlier version) Changes: head/security/vuxml/vuln.xml
Thank you both. Waiting for approval to merge this (and the other updates) to 2020Q3 branch.
A commit references this bug: Author: dbaio Date: Mon Sep 21 22:36:35 UTC 2020 New revision: 549534 URL: https://svnweb.freebsd.org/changeset/ports/549534 Log: MFH: r542468 r544604 r545291 r549046 net-im/py-matrix-synapse: update to 1.17.0 PR: 248016 Submitted by: Sascha Biberhofer <ports@skyforge.at> (maintainer) net-im/py-matrix-synapse: Update to 1.18.0 PR: 248566 Submitted by: Sascha Biberhofer <ports@skyforge.at> (maintainer) net-im/py-matrix-synapse: Update to 1.19.0 PR: 248719 Submitted by: Sascha Biberhofer <ports@skyforge.at> (maintainer) net-im/py-matrix-synapse: Update to 1.19.3 Changelog: https://github.com/matrix-org/synapse/blob/v1.19.3/CHANGES.md PR: 249375 Submitted by: Sascha Biberhofer <ports@skyforge.at> (maintainer) Event: September 2020 Bugathon Approved by: ports-secteam (fluffy) Changes: _U branches/2020Q3/ branches/2020Q3/net-im/py-matrix-synapse/Makefile branches/2020Q3/net-im/py-matrix-synapse/distinfo branches/2020Q3/net-im/py-matrix-synapse/files/patch-python_dependencies.py branches/2020Q3/net-im/py-matrix-synapse/files/patch-synapse_python__dependencies.py
Merged, thank you all!
I am unable to build this package in 2020Q3 because it depends on py37-canonicaljson>=1.2.0, but only 1.1.4 is available in 2020Q3 at the moment using these options: DOCS=on: Build and/or install documentation LDAP=off: LDAP protocol support OIDC=off: Add dependencies for OpenID Connect based logins PGSQL=on: PostgreSQL database support REDIS=off: Add support replication over Redis for synapse workers SQLITE=off: SQLite database support URLPREVIEW=on: Add dependencies necessary for URL previews ===> py37-matrix-synapse-1.19.3 depends on package: py37-canonicaljson>=1.2.0 - not found ===> Installing existing package /packages/All/py37-canonicaljson-1.1.4.txz [12_1-FreeBSD-2020Q3-job-01] Installing py37-canonicaljson-1.1.4... [12_1-FreeBSD-2020Q3-job-01] `-- Installing py37-simplejson-3.17.0... [12_1-FreeBSD-2020Q3-job-01] `-- Extracting py37-simplejson-3.17.0: .......... done [12_1-FreeBSD-2020Q3-job-01] Extracting py37-canonicaljson-1.1.4: ......... done ===> py37-matrix-synapse-1.19.3 depends on package: py37-canonicaljson>=1.2.0 - not found *** Error code 1
(In reply to linus.sundqvist from comment #20) Thanks for reporting it. Update devel/py-canonicaljson to 1.2.0 (alone), will break bulk -a. This is what I tracked, I've sent an email to ports-secteam and portmgr to see their thoughts (and approval) to merge. devel/py-canonicaljson: ports r544404 - Update to 1.2.0 (USES= python --> USES= python:3.5+) security/py-signedjson: ports r542025 - Fix RUN_DEPENDS Python 3.8 (devel/py-importlib-metadata) ports r542200 - Manually, just on security/py-signedjson (USES= python --> USES= python:3.6+)
A commit references this bug: Author: dbaio Date: Wed Sep 23 21:17:31 UTC 2020 New revision: 549855 URL: https://svnweb.freebsd.org/changeset/ports/549855 Log: MFH: r542025 r544404 Fix RUN_DEPENDS - Bump PORTREVISION for dependency change devel/py-importlib-metadata is not required for python 3.8+. Update to 1.2.0 Changes: https://github.com/matrix-org/python-canonicaljson/blob/master/CHANGES.md MFH: r542200 (partial) Update Python requirements for security/py-signedjson (avoid break bulk -a) PR: 249375 Approved by: ports-secteam (fluffy) Changes: _U branches/2020Q3/ branches/2020Q3/devel/py-canonicaljson/Makefile branches/2020Q3/devel/py-canonicaljson/distinfo branches/2020Q3/security/py-signedjson/Makefile branches/2020Q3/security/py-signedjson/files/