FreeBSD Bugzilla – Attachment 218811 Details for
Bug 249948
net-im/py-matrix-synapse: Security update to 1.21.2
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
vuxml: Add entry for py-matrix-synapse XSS vulnerability
vuxml-py-matrix-synapse-1.21.2.patch (text/plain), 1.70 KB, created by
Sascha Biberhofer
on 2020-10-16 20:29:44 UTC
(
hide
)
Description:
vuxml: Add entry for py-matrix-synapse XSS vulnerability
Filename:
MIME Type:
Creator:
Sascha Biberhofer
Created:
2020-10-16 20:29:44 UTC
Size:
1.70 KB
patch
obsolete
>diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml >index bf542c9dd1b8..81ba97414395 100644 >--- a/security/vuxml/vuln.xml >+++ b/security/vuxml/vuln.xml >@@ -58,6 +58,35 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="60b9a5f5-0feb-11eb-a00e-901b0e934d69"> >+ <topic>py-matrix-synapse -- XSS vulnerability</topic> >+ <affects> >+ <package> >+ <name>py36-matrix-synapse</name> >+ <name>py37-matrix-synapse</name> >+ <name>py38-matrix-synapse</name> >+ <range><lt>1.21.0</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Matrix developers report:</p> >+ <blockquote cite="https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq"> >+ <p>The fallback authentication endpoint served via Synapse were vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2020-26891</cvename> >+ <url>https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq</url> >+ <url>https://github.com/matrix-org/synapse/releases/tag/v1.21.2</url> >+ </references> >+ <dates> >+ <discovery>2020-10-15</discovery> >+ <entry>2020-10-16</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="42926d7b-0da3-11eb-8dbd-6451062f0f7a"> > <topic>Flash Player -- arbitrary code execution</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=218811">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
ports
:
maintainer-approval+
Actions:
View
|
Diff
Attachments on
bug 249948
:
218369
|
218809
| 218811