Bug 234828

Summary: update net-im/py-matrix-synapse to 0.34.1.1, fix CVE-2019-5885
Product: Ports & Packages Reporter: Sascha Biberhofer <ports>
Component: Individual Port(s)Assignee: Steve Wills <swills>
Status: Closed FIXED    
Severity: Affects Some People CC: decke, dkasak
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch to update net-im/py-matrix-synapse to 0.34.1.1
none
vuln.xml entry for py-matrix-synapse none

Description Sascha Biberhofer 2019-01-10 17:07:24 UTC
Created attachment 200991 [details]
patch to update net-im/py-matrix-synapse to 0.34.1.1

The synapse team just released 0.34.1.1, fixing CVE-2019-5885, see [1].

I've bumped the version, and some minor dependencies. I had to patch python_dependencies.py to avoid a version check against the prometheus library, as the version shipped w/ FreeBSD is more recent than the one officially supported by synapse.

As a consequence, this update may break monitoring w/ prometheus as it renames some metrics exported by synapse w/ the old version, see [2]. This seems unavoidable however, as our synapse package is either broken or exports different metric names, hence I chose the lesser evil. 

In any case, the new version seems to work fine. We should probably update this asap and push it to the quarterly repos too.

Cheers,
Sascha

[1] https://github.com/matrix-org/synapse/releases/tag/v0.34.1.1
[2] https://github.com/matrix-org/synapse/issues/4221
Comment 1 Steve Wills freebsd_committer 2019-01-14 16:02:32 UTC
I can't seem to find enough information on this CVE to create a VuXML entry. Is the issue not public yet? Or can you point me at the info or write a VuXML entry?
Comment 2 Sascha Biberhofer 2019-01-14 16:45:54 UTC
(In reply to Steve Wills from comment #1)

The CVE is not yet public, but will probably be at some point later today (according to communications w/ upstream). The only public information on this vulnerability is currently [1] afaik. I'll add a patch w/ a preliminary vuln.xml entry based on these facts (though I've never made one before, so I hope this turns out ok).

Cheers,
Sascha

[1] https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1/
Comment 3 Sascha Biberhofer 2019-01-14 16:46:54 UTC
Created attachment 201133 [details]
vuln.xml entry for py-matrix-synapse
Comment 4 commit-hook freebsd_committer 2019-01-15 12:21:26 UTC
A commit references this bug:

Author: swills
Date: Tue Jan 15 12:20:44 UTC 2019
New revision: 490365
URL: https://svnweb.freebsd.org/changeset/ports/490365

Log:
  Document py-matrix-synapse issue

  PR:		234828
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (with slight editing)

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer 2019-01-15 12:21:29 UTC
A commit references this bug:

Author: swills
Date: Tue Jan 15 12:21:09 UTC 2019
New revision: 490366
URL: https://svnweb.freebsd.org/changeset/ports/490366

Log:
  net-im/py-matrix-synapse: update to 0.34.1.1, fix CVE-2019-5885

  PR:		234828
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  MFH:		2019Q1
  Security:	383931ba-1818-11e9-92ea-448a5b29e8a9

Changes:
  head/net-im/py-matrix-synapse/Makefile
  head/net-im/py-matrix-synapse/distinfo
  head/net-im/py-matrix-synapse/files/patch-python_dependencies.py
Comment 6 commit-hook freebsd_committer 2019-01-15 12:22:33 UTC
A commit references this bug:

Author: swills
Date: Tue Jan 15 12:22:07 UTC 2019
New revision: 490367
URL: https://svnweb.freebsd.org/changeset/ports/490367

Log:
  MFH: r490366

  net-im/py-matrix-synapse: update to 0.34.1.1, fix CVE-2019-5885

  PR:		234828
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  Security:	383931ba-1818-11e9-92ea-448a5b29e8a9
  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2019Q1/
  branches/2019Q1/net-im/py-matrix-synapse/Makefile
  branches/2019Q1/net-im/py-matrix-synapse/distinfo
  branches/2019Q1/net-im/py-matrix-synapse/files/patch-python_dependencies.py
Comment 7 Steve Wills freebsd_committer 2019-01-15 12:23:29 UTC
Committed, thanks!