Bug 249948

Summary:

net-im/py-matrix-synapse: Security update to 1.21.2

Product:

Ports & Packages

Reporter:

Sascha Biberhofer <ports>

Component:

Individual Port(s)

Assignee:

Danilo G. Baio <dbaio>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

dbaio, fernape, jordan

Priority:

---

Keywords:

security

Version:

Latest

Flags:

fernape: merge-quarterly+

Hardware:

Any

OS:

Any

URL:

https://github.com/matrix-org/synapse/releases/tag/v1.21.2

Attachments:

Description	Flags
net-im/py-matrix-synapse: Update to 1.20.1	ports: maintainer-approval+
net-im/py-matrix-synapse: update to 1.21.2	ports: maintainer-approval+
vuxml: Add entry for py-matrix-synapse XSS vulnerability	ports: maintainer-approval+

Description Sascha Biberhofer 2020-09-27 20:32:17 UTC

Created attachment 218369 [details]
net-im/py-matrix-synapse: Update to 1.20.1

This patch updates the net-im/py-matrix-synapse port to version 1.20.1. From a ports perspective, the update bumps the DISTVERSION and syncs the dependencies with upstream dependency requirements, see [1]. The subsequent bump of the py-canonicaljson dependency from >=1.2.0 to >=1.3.0 requires a refresh of the patch we apply to the upstream dependency file, which is included in the submitted update.

A full changelog of all the updates of synapse itself is available at [2] and [3].


portlint: "OK" (3 Warnings, none new)
testport: OK (poudriere: 121amd64)
do-test: OK (Ran 1174 tests in 388.935s, PASSED (skips=9, successes=1165))

Also runs fine in production. :)

Cheers,
Sascha


[1] https://github.com/matrix-org/synapse/blob/v1.20.1/synapse/python_dependencies.py
[2] https://github.com/matrix-org/synapse/releases/tag/v1.20.0
[3] https://github.com/matrix-org/synapse/releases/tag/v1.20.1

Comment 1 Fernando Apesteguía freebsd_committer

2020-09-30 06:16:09 UTC

^Triage: If there is a changelog or release notes URL available for this version, please add it to the URL field.

Thanks!

Comment 2 Sascha Biberhofer 2020-10-16 20:27:24 UTC

Created attachment 218809 [details]
net-im/py-matrix-synapse: update to 1.21.2

The synapse developers have released 1.21.0 and the subsequent minor updates 1.21.1 and 1.21.2 yesterday. This update includes a security update for an XSS vulnerability, see [1] and [2]. I've updates the patch to bump the version of the port to 1.21.2 and synced the dependencies with those required by upstream.


portlint: "OK" (3 Warnings, none new)
testport: OK (poudriere: 121amd64)
do-test: OK (Ran 1241 tests in 459.405s, PASSED (skips=13, successes=1228))

I've been testing the resulting package on my server and things seem to be running fine. I will also provide a vuxml entry for this issue.

Cheers,
Sascha


[1] https://github.com/matrix-org/synapse/releases/tag/v1.21.2
[2] https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq

Comment 3 Sascha Biberhofer 2020-10-16 20:29:44 UTC

Created attachment 218811 [details]
vuxml: Add entry for py-matrix-synapse XSS vulnerability

The aforementioned vuxml entry. Passes `make validate`.

Comment 4 commit-hook freebsd_committer

2020-10-17 13:50:51 UTC

A commit references this bug:

Author: dbaio
Date: Sat Oct 17 13:50:27 UTC 2020
New revision: 552574
URL: https://svnweb.freebsd.org/changeset/ports/552574

Log:
  security/vuxml: Document net-im/py-matrix-synapse issue

  PR:		249948
  Submitted by:	Sascha Biberhofer <ports@skyforge.at>
  Security:	CVE-2020-26891

Changes:
  head/security/vuxml/vuln.xml

Comment 5 commit-hook freebsd_committer

2020-10-17 14:34:58 UTC

A commit references this bug:

Author: dbaio
Date: Sat Oct 17 14:34:51 UTC 2020
New revision: 552582
URL: https://svnweb.freebsd.org/changeset/ports/552582

Log:
  net-im/py-matrix-synapse: Update to 1.21.2, Fix security issue

  Changelog:	https://github.com/matrix-org/synapse/blob/v1.21.2/CHANGES.md

  PR:		249948
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  MFH:		2020Q4
  Security:	5f39d80f-107c-11eb-8b47-641c67a117d8

Changes:
  head/net-im/py-matrix-synapse/Makefile
  head/net-im/py-matrix-synapse/distinfo
  head/net-im/py-matrix-synapse/files/patch-synapse_python__dependencies.py

Comment 6 commit-hook freebsd_committer

2020-10-17 17:29:19 UTC

A commit references this bug:

Author: dbaio
Date: Sat Oct 17 17:29:05 UTC 2020
New revision: 552601
URL: https://svnweb.freebsd.org/changeset/ports/552601

Log:
  MFH: r552582

  net-im/py-matrix-synapse: Update to 1.21.2, Fix security issue

  Changelog:	https://github.com/matrix-org/synapse/blob/v1.21.2/CHANGES.md

  PR:		249948
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  Security:	5f39d80f-107c-11eb-8b47-641c67a117d8

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/net-im/py-matrix-synapse/Makefile
  branches/2020Q4/net-im/py-matrix-synapse/distinfo
  branches/2020Q4/net-im/py-matrix-synapse/files/patch-synapse_python__dependencies.py

Comment 7 Danilo G. Baio freebsd_committer

2020-10-17 17:30:34 UTC

Committed, thanks!