Created attachment 224848 [details] net-im/py-matrix-synapse: Update to 1.33.2 Version 1.33.2 is a security update to 1.33.1 and basically consists of a fix for a denial of service vulenerablity by which malicious push rules could cause synapse to use large amounts of CPU. Furthermore, since the problem with py-attrs has been fixed in the more recent attrs release and the attrs version in ports is fine anyway, I've removed the maximum version requirement to stay in sync with upstream version requirements. portlint: "OK" (3 Warnings, none new) testport: OK (poudriere: 130amd64) do-test: OK (Ran 1608 tests in 739.471s, PASSED (skips=35, successes=1573)) The resulting package appears to run just fine in production. I'll also try and write a suitable vuxml entry as soon as I get to it.
Created attachment 224849 [details] vuln.xml: Add entry for py-matrix-synapse versions < 1.33.2 Here's the aforementioned vuln.xml entry.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=88da10f9e38e41a2f2fd7082f3ce7335460b7643 commit 88da10f9e38e41a2f2fd7082f3ce7335460b7643 Author: Sascha Biberhofer <ports@skyforge.at> AuthorDate: 2021-05-11 15:18:00 +0000 Commit: Neel Chauhan <nc@FreeBSD.org> CommitDate: 2021-05-11 15:19:59 +0000 net-im/py-matrix-synapse: Update to 1.33.2 PR: 255791 MFH: 2021Q2 Security: CVE-2021-29471 net-im/py-matrix-synapse/Makefile | 4 ++-- net-im/py-matrix-synapse/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-)
A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=27ae9ff95f4ace34656c7fb6b72064e6dad426af commit 27ae9ff95f4ace34656c7fb6b72064e6dad426af Author: Sascha Biberhofer <ports@skyforge.at> AuthorDate: 2021-05-11 16:24:26 +0000 Commit: Neel Chauhan <nc@FreeBSD.org> CommitDate: 2021-05-11 16:24:47 +0000 net-im/py-matrix-synapse: Update to 1.33.2 PR: 255791 MFH: 2021Q2 Security: CVE-2021-29471 (cherry picked from commit 88da10f9e38e41a2f2fd7082f3ce7335460b7643) net-im/py-matrix-synapse/Makefile | 2 +- net-im/py-matrix-synapse/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
Committed!
Synapse 1.33.2 seems to require cryptography>=3.4.7, but py37-cryptography 3.3.2 is latest version available in ports at the moment, which results in the service no longer starting after upgrading to 1.33.2 (unless I manually update cryptography via pip).
(In reply to linus.sundqvist from comment #5) The version requirement of py-matrix-synapse on py-cryptography was made in response to the recent openssl vulnerability and does not reflect an actual requirement. This is also why we (after seeking approval from upstream) currently patch that depenency check from the port, as otherwise synapse checks required versions on start and refuses to run. Are you using the quartlery branch? From a quick git diff w/ the 2021Q branch the cherry-picked commit does not incorporate that dependency patch, which would cause this problem. I feel like that's a bit out of my hands, perhaps Neel can fix this?
Yes, I'm running 2021Q2 branch.
In case people run into this and look to the bugtracker for a quick workaround: You can open the file /usr/local/lib/python3.8/site-packages/synapse/python_dependencies.py (perhaps adjusted for the python version you use) and comment out (or remove) line 85 containing the version check on cryptography. I hope we can get the backport fixed quickly. :/
(In reply to Sascha Biberhofer from comment #8) Seems to be working, thank you!
(I'm reopening this issue until the quarterly branch has been fixed)
A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1db4eced0d392da9c4a56587b47e9a667525d0ac commit 1db4eced0d392da9c4a56587b47e9a667525d0ac Author: Neel Chauhan <nc@FreeBSD.org> AuthorDate: 2021-05-12 14:25:01 +0000 Commit: Neel Chauhan <nc@FreeBSD.org> CommitDate: 2021-05-12 14:25:01 +0000 net-im/py-matrix-synapse: Fix dependency check on 2021Q2 PR: 255791 .../files/patch-synapse_python__dependencies.py (new) | 11 +++++++++++ 1 file changed, 11 insertions(+)
Committed the fix!