Created attachment 227574 [details] net-im/py-matrix-synapse: Update to 1.41.1 The attached patch is a simple version bump to update net-im/py-matrix-synapse to 1.41.1. This release contains fixes for two vulnerabilities [1], [2], which may expose room metadata and membership information to unauthorized users. The vulnerability affects all versions of net-im/py-matrix-synapse prior to 1.41.1. portlint: "OK" (3 Warnings, none new) testport: OK (poudriere: 130amd64) do-test: OK (Ran 1789 tests in 854.478s, PASSED (skips=36, successes=1753)) I've been running the resulting package in production for the past few hours and things look fine, so I don't expect any fallout here. This should probably also be merged back to quarterly, if possible. I'll also try and write a vuxml entry tomorrow. [1] https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q [2] https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2
^Triage: Needs VuXML entry
Created attachment 227608 [details] security/vuxml diff Once port passes testing, I'll commit the security/vuxml update as well.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1d034041502f6783f8259b91b23e650c79fc4f6d commit 1d034041502f6783f8259b91b23e650c79fc4f6d Author: Ashish SHUKLA <ashish@FreeBSD.org> AuthorDate: 2021-09-02 14:31:26 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2021-09-02 14:31:26 +0000 security/vuxml: Document py-matrix-synapse vulnerabilities PR: 258187 Reported by: Sascha Biberhofer <ports@skyforge.at> Security: a67e358c-0bf6-11ec-875e-901b0e9408dc Security: CVE-2021-39163 Security: CVE-2021-39164 security/vuxml/vuln-2021.xml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1e1181ab180470952c0eacda07094da95c6404f9 commit 1e1181ab180470952c0eacda07094da95c6404f9 Author: Sascha Biberhofer <ports@skyforge.at> AuthorDate: 2021-09-02 14:40:41 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2021-09-02 14:45:52 +0000 net-im/py-matrix-synapse: Update to 1.41.1 This release also fixes two security vulnerabilities PR: 258187 MFH: 2021Q3 Security: a67e358c-0bf6-11ec-875e-901b0e9408dc Security: CVE-2021-39163 Security: CVE-2021-39164 net-im/py-matrix-synapse/Makefile | 2 +- net-im/py-matrix-synapse/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
A commit in branch 2021Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c14c6de1be8ebad12bc3a43c23b489d85528f334 commit c14c6de1be8ebad12bc3a43c23b489d85528f334 Author: Sascha Biberhofer <ports@skyforge.at> AuthorDate: 2021-09-02 14:40:41 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2021-09-02 14:51:06 +0000 net-im/py-matrix-synapse: Update to 1.41.1 This release also fixes two security vulnerabilities PR: 258187 MFH: 2021Q3 Security: a67e358c-0bf6-11ec-875e-901b0e9408dc Security: CVE-2021-39163 Security: CVE-2021-39164 (cherry picked from commit 1e1181ab180470952c0eacda07094da95c6404f9) net-im/py-matrix-synapse/Makefile | 2 +- net-im/py-matrix-synapse/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
Committed, thanks! P.S. Toggled maintainer-feedback to "+" since submitter is maintainer, and their patch is already good