Bug 283350 - net-im/py-matrix-synapse: Update to 1.120.2, fix multiple CVEs
Summary: net-im/py-matrix-synapse: Update to 1.120.2, fix multiple CVEs
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ashish SHUKLA
URL: https://github.com/element-hq/synapse...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-12-15 15:48 UTC by Sascha Biberhofer
Modified: 2024-12-17 11:35 UTC (History)
1 user (show)

See Also:

Attachments
net-im/py-matrix-synapse: Update to 1.120.2 (10.75 KB, patch)
2024-12-15 15:48 UTC, Sascha Biberhofer 		no flags Details | Diff
security/vuxml: Add CVEs for synapse versions prior to 1.120.1 (2.70 KB, patch)
2024-12-15 16:08 UTC, Sascha Biberhofer 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Biberhofer 2024-12-15 15:48:37 UTC 
Created attachment 255878 [details]
net-im/py-matrix-synapse: Update to 1.120.2

This patch updates the synapse port from 1.118.0 to 1.120.2 to fix multiple CVEs present in prior synapse versions:

* [1] CVE-2024-52805 (high) 
* [2] CVE-2024-52815 (high)
* [3] CVE-2024-53863 (high)
* [4] CVE-2024-53867 (moderate)
* [5] CVE-2024-37302 (high)
* [6] CVE-2024-37303 (moderate)


From a ports perspective, the update includes some minor dependency changes and a version bump. The updated port builds fine on my setup and passes the usual testuite:

Ran 3887 tests in 134.485s, PASSED (skips=177, successes=3710)

The resulting package has been running fine on my server for the last 48h, so I don't expect any breakage for users upgrading from the prior version.

As always, feedback is much appreciated. :)

Kind regards,
Sascha


[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52805
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52815
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53863
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53867
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37302
[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37303
Comment 1 Sascha Biberhofer 2024-12-15 16:08:37 UTC 
Created attachment 255879 [details]
security/vuxml: Add CVEs for synapse versions prior to 1.120.1

In addition to the port update, here's a vuxml entry summarizing the CVE information.
Comment 2 commit-hook freebsd_committer freebsd_triage 2024-12-16 22:24:17 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ed0cc647e12f225e595c5c6d436f721766e6344d

commit ed0cc647e12f225e595c5c6d436f721766e6344d
Author:     Sascha Biberhofer <sascha.biberhofer@skyforge.at>
AuthorDate: 2024-12-15 15:29:07 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2024-12-16 22:13:54 +0000

    net-im/py-matrix-synapse: Update to 1.120.2

    Signed-off-by: Sascha Biberhofer <sascha.biberhofer@skyforge.at>

    PR:             283350
    Security:       71f3e9f0-bafc-11ef-885d-901b0e934d69
    Security:       CVE-2024-52805
    Security:       CVE-2024-52815
    Security:       CVE-2024-53863
    Security:       CVE-2024-53867
    Security:       CVE-2024-37302
    Security:       CVE-2024-37303
    MFH:            2024Q4

 net-im/py-matrix-synapse/Makefile                  |  7 ++--
 net-im/py-matrix-synapse/Makefile.crates           | 16 ++++-----
 net-im/py-matrix-synapse/distinfo                  | 38 +++++++++++-----------
 .../py-matrix-synapse/files/patch-pyproject.toml   |  2 +-
 4 files changed, 31 insertions(+), 32 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-12-16 22:24:18 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8800222e62060da674235c9ac44e5dbb3d161d5d

commit 8800222e62060da674235c9ac44e5dbb3d161d5d
Author:     Ashish SHUKLA <ashish@FreeBSD.org>
AuthorDate: 2024-12-16 22:06:54 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2024-12-16 22:13:39 +0000

    security/vuxml: Document net-im/py-matrix-synapse vulnerability

    Signed-off-by: Sascha Biberhofer <sascha.biberhofer@skyforge.at>

    PR:             283350
    Reviewed by:    ashish

 security/vuxml/vuln/2024.xml | 47 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
Comment 4 Ashish SHUKLA freebsd_committer freebsd_triage 2024-12-16 22:34:09 UTC 
(In reply to commit-hook from comment #3)

My apologies for messing up the authorship in https://cgit.freebsd.org/ports/commit/?id=8800222e62060da674235c9ac44e5dbb3d161d5d

I'm waiting on 2024Q4 builds to complete before committing.
Comment 5 commit-hook freebsd_committer freebsd_triage 2024-12-17 11:34:10 UTC 
A commit in branch 2024Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1c0632147b73f4a2a4a69a750f6527a3fdee07f9

commit 1c0632147b73f4a2a4a69a750f6527a3fdee07f9
Author:     Sascha Biberhofer <sascha.biberhofer@skyforge.at>
AuthorDate: 2024-12-15 15:29:07 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2024-12-17 11:32:55 +0000

    net-im/py-matrix-synapse: Update to 1.120.2

    Signed-off-by: Sascha Biberhofer <sascha.biberhofer@skyforge.at>

    PR:             283350
    Security:       71f3e9f0-bafc-11ef-885d-901b0e934d69
    Security:       CVE-2024-52805
    Security:       CVE-2024-52815
    Security:       CVE-2024-53863
    Security:       CVE-2024-53867
    Security:       CVE-2024-37302
    Security:       CVE-2024-37303
    MFH:            2024Q4
    (cherry picked from commit ed0cc647e12f225e595c5c6d436f721766e6344d)

 net-im/py-matrix-synapse/Makefile                  |  6 ++--
 net-im/py-matrix-synapse/Makefile.crates           | 16 ++++-----
 net-im/py-matrix-synapse/distinfo                  | 38 +++++++++++-----------
 .../py-matrix-synapse/files/patch-pyproject.toml   |  4 +--
 4 files changed, 32 insertions(+), 32 deletions(-)
Comment 6 Ashish SHUKLA freebsd_committer freebsd_triage 2024-12-17 11:35:33 UTC 
Thank you, and apologies for messing up the authorship.