Bug 249948

Summary: net-im/py-matrix-synapse: Security update to 1.21.2
Product: Ports & Packages Reporter: Sascha Biberhofer <ports>
Component: Individual Port(s)Assignee: Danilo G. Baio <dbaio>
Status: Closed FIXED    
Severity: Affects Many People CC: dbaio, fernape, jordan
Priority: --- Keywords: security
Version: LatestFlags: fernape: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://github.com/matrix-org/synapse/releases/tag/v1.21.2
Attachments:
Description Flags
net-im/py-matrix-synapse: Update to 1.20.1
ports: maintainer-approval+
net-im/py-matrix-synapse: update to 1.21.2
ports: maintainer-approval+
vuxml: Add entry for py-matrix-synapse XSS vulnerability ports: maintainer-approval+

Description Sascha Biberhofer 2020-09-27 20:32:17 UTC
Created attachment 218369 [details]
net-im/py-matrix-synapse: Update to 1.20.1

This patch updates the net-im/py-matrix-synapse port to version 1.20.1. From a ports perspective, the update bumps the DISTVERSION and syncs the dependencies with upstream dependency requirements, see [1]. The subsequent bump of the py-canonicaljson dependency from >=1.2.0 to >=1.3.0 requires a refresh of the patch we apply to the upstream dependency file, which is included in the submitted update.

A full changelog of all the updates of synapse itself is available at [2] and [3].


portlint: "OK" (3 Warnings, none new)
testport: OK (poudriere: 121amd64)
do-test: OK (Ran 1174 tests in 388.935s, PASSED (skips=9, successes=1165))

Also runs fine in production. :)

Cheers,
Sascha


[1] https://github.com/matrix-org/synapse/blob/v1.20.1/synapse/python_dependencies.py
[2] https://github.com/matrix-org/synapse/releases/tag/v1.20.0
[3] https://github.com/matrix-org/synapse/releases/tag/v1.20.1
Comment 1 Fernando ApesteguĂ­a freebsd_committer 2020-09-30 06:16:09 UTC
^Triage: If there is a changelog or release notes URL available for this version, please add it to the URL field.

Thanks!
Comment 2 Sascha Biberhofer 2020-10-16 20:27:24 UTC
Created attachment 218809 [details]
net-im/py-matrix-synapse: update to 1.21.2

The synapse developers have released 1.21.0 and the subsequent minor updates 1.21.1 and 1.21.2 yesterday. This update includes a security update for an XSS vulnerability, see [1] and [2]. I've updates the patch to bump the version of the port to 1.21.2 and synced the dependencies with those required by upstream.


portlint: "OK" (3 Warnings, none new)
testport: OK (poudriere: 121amd64)
do-test: OK (Ran 1241 tests in 459.405s, PASSED (skips=13, successes=1228))

I've been testing the resulting package on my server and things seem to be running fine. I will also provide a vuxml entry for this issue.

Cheers,
Sascha


[1] https://github.com/matrix-org/synapse/releases/tag/v1.21.2
[2] https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq
Comment 3 Sascha Biberhofer 2020-10-16 20:29:44 UTC
Created attachment 218811 [details]
vuxml: Add entry for py-matrix-synapse XSS vulnerability

The aforementioned vuxml entry. Passes `make validate`.
Comment 4 commit-hook freebsd_committer 2020-10-17 13:50:51 UTC
A commit references this bug:

Author: dbaio
Date: Sat Oct 17 13:50:27 UTC 2020
New revision: 552574
URL: https://svnweb.freebsd.org/changeset/ports/552574

Log:
  security/vuxml: Document net-im/py-matrix-synapse issue

  PR:		249948
  Submitted by:	Sascha Biberhofer <ports@skyforge.at>
  Security:	CVE-2020-26891

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer 2020-10-17 14:34:58 UTC
A commit references this bug:

Author: dbaio
Date: Sat Oct 17 14:34:51 UTC 2020
New revision: 552582
URL: https://svnweb.freebsd.org/changeset/ports/552582

Log:
  net-im/py-matrix-synapse: Update to 1.21.2, Fix security issue

  Changelog:	https://github.com/matrix-org/synapse/blob/v1.21.2/CHANGES.md

  PR:		249948
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  MFH:		2020Q4
  Security:	5f39d80f-107c-11eb-8b47-641c67a117d8

Changes:
  head/net-im/py-matrix-synapse/Makefile
  head/net-im/py-matrix-synapse/distinfo
  head/net-im/py-matrix-synapse/files/patch-synapse_python__dependencies.py
Comment 6 commit-hook freebsd_committer 2020-10-17 17:29:19 UTC
A commit references this bug:

Author: dbaio
Date: Sat Oct 17 17:29:05 UTC 2020
New revision: 552601
URL: https://svnweb.freebsd.org/changeset/ports/552601

Log:
  MFH: r552582

  net-im/py-matrix-synapse: Update to 1.21.2, Fix security issue

  Changelog:	https://github.com/matrix-org/synapse/blob/v1.21.2/CHANGES.md

  PR:		249948
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  Security:	5f39d80f-107c-11eb-8b47-641c67a117d8

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/net-im/py-matrix-synapse/Makefile
  branches/2020Q4/net-im/py-matrix-synapse/distinfo
  branches/2020Q4/net-im/py-matrix-synapse/files/patch-synapse_python__dependencies.py
Comment 7 Danilo G. Baio freebsd_committer 2020-10-17 17:30:34 UTC
Committed, thanks!