Attachment #220470 for bug #251768

View | Details | Raw Unified | Return to bug 251768 | Differences between
Collapse All | Expand All




  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="452b3b2a-3c06-11eb-adb6-e86a64caca56">
    <topic>py-matrix-synapse -- DoS on Federation API</topic>
    <affects>
      <package>
	<name>py36-matrix-synapse</name>
	<name>py37-matrix-synapse</name>
	<name>py38-matrix-synapse</name>
	<name>py39-matrix-synapse</name>
	<range><lt>1.23.1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Matrix developers reports:</p>
	<blockquote cite="https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm">
	  <p>A malicious or poorly-implemented homeserver can inject malformed
	    events into a room by specifying a different room id in the path of
	    a /send_join, /send_leave, /invite or /exchange_third_party_invite
	    request.

	    This can lead to a denial of service in which future events will
	    not be correctly sent to other servers over federation.

	    This affects any server which accepts federation requests from
	    untrusted servers.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2020-26257</cvename>
      <url>https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm</url>
      <url>https://github.com/matrix-org/synapse/releases/tag/v1.24.0</url>
      <freebsdpr>ports/251768</freebsdpr>
    </references>
    <dates>
      <discovery>2020-12-09</discovery>
      <entry>2020-12-11</entry>
    </dates>
  </vuln>

  <vuln vid="88dfd92f-3b9c-11eb-929d-d4c9ef517024">
    <topic>LibreSSL -- NULL pointer dereference</topic>
    <affects>

Return to bug 251768

Lines 58-63 Link Here

(-)vuln.xml (+40 lines)
58	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)	58	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
59	-->	59	-->
60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		61	<vuln vid="452b3b2a-3c06-11eb-adb6-e86a64caca56">
		62	<topic>py-matrix-synapse -- DoS on Federation API</topic>
		63	<affects>
		64	<package>
		65	<name>py36-matrix-synapse</name>
		66	<name>py37-matrix-synapse</name>
		67	<name>py38-matrix-synapse</name>
		68	<name>py39-matrix-synapse</name>
		69	<range><lt>1.23.1</lt></range>
		70	</package>
		71	</affects>
		72	<description>
		73	<body xmlns="http://www.w3.org/1999/xhtml">
		74	<p>Matrix developers reports:</p>
		75	<blockquote cite="https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm">
		76	<p>A malicious or poorly-implemented homeserver can inject malformed
		77	events into a room by specifying a different room id in the path of
		78	a /send_join, /send_leave, /invite or /exchange_third_party_invite
		79	request.
		80
		81	This can lead to a denial of service in which future events will
		82	not be correctly sent to other servers over federation.
		83
		84	This affects any server which accepts federation requests from
		85	untrusted servers.</p>
		86	</blockquote>
		87	</body>
		88	</description>
		89	<references>
		90	<cvename>CVE-2020-26257</cvename>
		91	<url>https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm</url>
		92	<url>https://github.com/matrix-org/synapse/releases/tag/v1.24.0</url>
		93	<freebsdpr>ports/251768</freebsdpr>
		94	</references>
		95	<dates>
		96	<discovery>2020-12-09</discovery>
		97	<entry>2020-12-11</entry>
		98	</dates>
		99	</vuln>
		100
61	<vuln vid="88dfd92f-3b9c-11eb-929d-d4c9ef517024">	101	<vuln vid="88dfd92f-3b9c-11eb-929d-d4c9ef517024">
62	<topic>LibreSSL -- NULL pointer dereference</topic>	102	<topic>LibreSSL -- NULL pointer dereference</topic>
63	<affects>	103	<affects>