Bug 247720

Summary: net-im/py-matrix-synapse: Update to 1.15.2 (security)
Product: Ports & Packages Reporter: Sascha Biberhofer <ports>
Component: Individual Port(s)Assignee: Li-Wen Hsu <lwhsu>
Status: Closed FIXED    
Severity: Affects Many People CC: lwhsu, ports-secteam, python
Priority: Normal Keywords: buildisok, security
Version: LatestFlags: koobs: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://github.com/matrix-org/synapse/releases/tag/v1.15.2
Attachments:
Description Flags
net-im/py-matrix-synapse: 1.14.0 to 1.15.2
ports: maintainer-approval+
py-matrix-synapse 1.15.2 vuln.xml entry
ports: maintainer-approval+
py-matrix-synapse 1.15.2 vuln.xml entry (patch format) ports: maintainer-approval+

Description Sascha Biberhofer 2020-07-02 17:29:39 UTC 
Created attachment 216148 [details]
net-im/py-matrix-synapse: 1.14.0 to 1.15.2

The matrix developers have just released synapse 1.15.2 (see [1]), containing security fixes for two vulnerabilities:

- A malicious homeserver could force Synapse to reset the state in a room to a small subset of the correct state. This affects all Synapse deployments which federate with untrusted servers. (96e9afe6)

- HTML pages served via Synapse were vulnerable to clickjacking attacks. This predominantly affects homeservers with single-sign-on enabled, but all server administrators are encouraged to upgrade. (ea26e9a9)

This patch bumps the port to the aforementioned version. It also adds www/py-pyjwt to the test dependencies, which is necessary to make the testsuite pass successfully.

portlint: "OK" (4 Warnings, none new)
testport: OK (poudriere: 121amd64)
do-test: OK (Ran 1063 tests in 327.652s, PASSED (skips=5, successes=1058))

The resulting port also runs fine on my server.

Cheers,
Sascha

[1] https://github.com/matrix-org/synapse/releases/tag/v1.15.2
Comment 1 Sascha Biberhofer 2020-07-02 17:33:45 UTC 
Created attachment 216149 [details]
py-matrix-synapse 1.15.2 vuln.xml entry

Here's the vuxml entry for this incident.
Comment 2 Automation User 2020-07-02 17:52:48 UTC 
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/162580406
Comment 3 Li-Wen Hsu freebsd_committer freebsd_triage 2020-07-03 04:25:34 UTC 
(In reply to Sascha Biberhofer from comment #1)
Is it possible to convert this to a patch against security/vuxml/vuln.xml?
Comment 4 Sascha Biberhofer 2020-07-03 06:44:41 UTC 
Created attachment 216156 [details]
py-matrix-synapse 1.15.2 vuln.xml entry (patch format)
Comment 5 Sascha Biberhofer 2020-07-03 06:46:52 UTC 
(In reply to Li-Wen Hsu from comment #3)

Done. I avoided the patch since vuln.xml changes so rapidly that I wasn't sure a diff would apply cleanly. :)
Comment 6 Li-Wen Hsu freebsd_committer freebsd_triage 2020-07-03 06:56:57 UTC 
(In reply to Sascha Biberhofer from comment #5)
Thanks, although it might not be able to apply directly but it reduce much time on format editing. :-)  Oh, I probably should have asked "vuxml format" which should be easier for both of us.  I'll remember that next time.
Comment 7 commit-hook freebsd_committer freebsd_triage 2020-07-03 07:04:45 UTC 
A commit references this bug:

Author: lwhsu
Date: Fri Jul  3 07:04:06 UTC 2020
New revision: 541079
URL: https://svnweb.freebsd.org/changeset/ports/541079

Log:
  Document net-im/py-matrix-synapse security issue before 1.15.2

  PR:		247720
  Submitted by:	Sascha Biberhofer <ports@skyforge.at>

Changes:
  head/security/vuxml/vuln.xml
Comment 8 commit-hook freebsd_committer freebsd_triage 2020-07-03 07:06:47 UTC 
A commit references this bug:

Author: lwhsu
Date: Fri Jul  3 07:06:28 UTC 2020
New revision: 541080
URL: https://svnweb.freebsd.org/changeset/ports/541080

Log:
  Update to 1.15.2

  PR:		247720
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  MFH:		2020Q3
  Security:	d9f686f3-fde0-48dc-ab0a-01c2fe3e0529

Changes:
  head/net-im/py-matrix-synapse/Makefile
  head/net-im/py-matrix-synapse/distinfo
Comment 9 Li-Wen Hsu freebsd_committer freebsd_triage 2020-07-03 07:07:14 UTC 
Wait for MFH.
Comment 10 commit-hook freebsd_committer freebsd_triage 2020-07-04 09:27:06 UTC 
A commit references this bug:

Author: lwhsu
Date: Sat Jul  4 09:26:59 UTC 2020
New revision: 541183
URL: https://svnweb.freebsd.org/changeset/ports/541183

Log:
  MFH: r541080

  Update to 1.15.2

  PR:		247720
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  Security:	d9f686f3-fde0-48dc-ab0a-01c2fe3e0529

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/net-im/py-matrix-synapse/Makefile
  branches/2020Q3/net-im/py-matrix-synapse/distinfo
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-05 02:58:13 UTC 
^Triage: Track merge