Bug 258187

Summary: net-im/py-matrix-synapse: Update to 1.41.1
Product: Ports & Packages Reporter: Sascha Biberhofer <ports>
Component: Individual Port(s)Assignee: Ashish SHUKLA <ashish>
Status: Closed FIXED    
Severity: Affects Many People CC: ashish, ports-secteam, ports
Priority: Normal Keywords: needs-qa, security
Version: LatestFlags: ashish: maintainer-feedback+
ashish: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://github.com/matrix-org/synapse/releases/tag/v1.41.1
Attachments:
Description Flags
net-im/py-matrix-synapse: Update to 1.41.1
ports: maintainer-approval+
security/vuxml diff none

Description Sascha Biberhofer 2021-08-31 19:48:46 UTC 
Created attachment 227574 [details]
net-im/py-matrix-synapse: Update to 1.41.1

The attached patch is a simple version bump to update net-im/py-matrix-synapse to 1.41.1. This release contains fixes for two vulnerabilities [1], [2], which may expose room metadata and membership information to unauthorized users. The vulnerability affects all versions of net-im/py-matrix-synapse prior to 1.41.1.

portlint: "OK" (3 Warnings, none new)
testport: OK (poudriere: 130amd64)
do-test: OK (Ran 1789 tests in 854.478s, PASSED (skips=36, successes=1753))

I've been running the resulting package in production for the past few hours and things look fine, so I don't expect any fallout here. This should probably also be merged back to quarterly, if possible. I'll also try and write a vuxml entry tomorrow.

[1] https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q
[2] https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2021-09-01 01:01:07 UTC 
^Triage: Needs VuXML entry
Comment 2 Ashish SHUKLA freebsd_committer freebsd_triage 2021-09-02 14:22:47 UTC 
Created attachment 227608 [details]
security/vuxml diff

Once port passes testing, I'll commit the security/vuxml update as well.
Comment 3 commit-hook freebsd_committer freebsd_triage 2021-09-02 14:38:50 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1d034041502f6783f8259b91b23e650c79fc4f6d

commit 1d034041502f6783f8259b91b23e650c79fc4f6d
Author:     Ashish SHUKLA <ashish@FreeBSD.org>
AuthorDate: 2021-09-02 14:31:26 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2021-09-02 14:31:26 +0000

    security/vuxml: Document py-matrix-synapse vulnerabilities

    PR:             258187
    Reported by:    Sascha Biberhofer <ports@skyforge.at>
    Security:       a67e358c-0bf6-11ec-875e-901b0e9408dc
    Security:       CVE-2021-39163
    Security:       CVE-2021-39164

 security/vuxml/vuln-2021.xml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
Comment 4 commit-hook freebsd_committer freebsd_triage 2021-09-02 14:46:53 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1e1181ab180470952c0eacda07094da95c6404f9

commit 1e1181ab180470952c0eacda07094da95c6404f9
Author:     Sascha Biberhofer <ports@skyforge.at>
AuthorDate: 2021-09-02 14:40:41 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2021-09-02 14:45:52 +0000

    net-im/py-matrix-synapse: Update to 1.41.1

    This release also fixes two security vulnerabilities

    PR:             258187
    MFH:            2021Q3
    Security:       a67e358c-0bf6-11ec-875e-901b0e9408dc
    Security:       CVE-2021-39163
    Security:       CVE-2021-39164

 net-im/py-matrix-synapse/Makefile | 2 +-
 net-im/py-matrix-synapse/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2021-09-02 14:52:54 UTC 
A commit in branch 2021Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c14c6de1be8ebad12bc3a43c23b489d85528f334

commit c14c6de1be8ebad12bc3a43c23b489d85528f334
Author:     Sascha Biberhofer <ports@skyforge.at>
AuthorDate: 2021-09-02 14:40:41 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2021-09-02 14:51:06 +0000

    net-im/py-matrix-synapse: Update to 1.41.1

    This release also fixes two security vulnerabilities

    PR:             258187
    MFH:            2021Q3
    Security:       a67e358c-0bf6-11ec-875e-901b0e9408dc
    Security:       CVE-2021-39163
    Security:       CVE-2021-39164

    (cherry picked from commit 1e1181ab180470952c0eacda07094da95c6404f9)

 net-im/py-matrix-synapse/Makefile | 2 +-
 net-im/py-matrix-synapse/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 6 Ashish SHUKLA freebsd_committer freebsd_triage 2021-09-02 14:56:06 UTC 
Committed, thanks!

P.S. Toggled maintainer-feedback to "+" since submitter is maintainer, and their patch is already good