Bug 259994
| Summary: | net-im/py-matrix-synapse: Security update to 1.47.1 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Sascha Biberhofer <ports> | ||||||
| Component: | Individual Port(s) | Assignee: | Ashish SHUKLA <ashish> | ||||||
| Status: | Closed FIXED | ||||||||
| Severity: | Affects Many People | CC: | ashish, contact | ||||||
| Priority: | --- | Flags: | ashish:
merge-quarterly+
|
||||||
| Version: | Latest | ||||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| URL: | https://github.com/matrix-org/synapse/releases/tag/v1.47.1 | ||||||||
| Attachments: |
|
||||||||
|
Description
Sascha Biberhofer
2021-11-23 14:36:02 UTC
Created attachment 229671 [details]
vuxml for CVE-2021-41281
Thank you Sascha, here is the vuxml :-).
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a3987e103053782333cdcc1a0cd772d61f333b4e commit a3987e103053782333cdcc1a0cd772d61f333b4e Author: Sascha Biberhofer <ports@skyforge.at> AuthorDate: 2021-11-23 16:49:37 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2021-11-23 16:53:03 +0000 net-im/py-matrix-synapse: Update to 1.47.1 PR: 259994 MFH: 2021Q4 Security: 27aa2253-4c72-11ec-b6b9-e86a64caca56 Security: CVE-2021-41281 net-im/py-matrix-synapse/Makefile | 2 +- net-im/py-matrix-synapse/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c6782b5ef530f87268d42d171eef424244fb2822 commit c6782b5ef530f87268d42d171eef424244fb2822 Author: Evilham <contact@evilham.com> AuthorDate: 2021-11-23 16:45:05 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2021-11-23 16:53:00 +0000 security/vuxml: Document vulnerability in Matrix Synapse PR: 259994 Reported by: Sascha Biberhofer <ports at skyforge dot at> Security: 27aa2253-4c72-11ec-b6b9-e86a64caca56 Security: CVE-2021-41281 security/vuxml/vuln-2021.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) Just an update here to explain the delay in merging to quarterly branch. Apparently 1.47.1 depends on www/py-pyjwt1 which is not in the quarterly branch :/. A commit in branch 2021Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=06d01a3e6b0a2d6ac9f2c29b2f0a68605f30e0b6 commit 06d01a3e6b0a2d6ac9f2c29b2f0a68605f30e0b6 Author: Sascha Biberhofer <ports@skyforge.at> AuthorDate: 2021-11-23 16:49:37 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2021-11-24 11:20:29 +0000 net-im/py-matrix-synapse: Update to 1.47.1 PR: 259994 MFH: 2021Q4 Security: 27aa2253-4c72-11ec-b6b9-e86a64caca56 Security: CVE-2021-41281 (cherry picked from commit a3987e103053782333cdcc1a0cd772d61f333b4e) net-im/py-matrix-synapse/Makefile | 2 +- net-im/py-matrix-synapse/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) Committed to quarterly after making sure it does not break INDEX, and builds fine, and checking with portmgr@ (Thanks tcberner@). Thanks! Lovely, thank you! Ignorance asking here: shouldn't vuxml be updated too in 2021Q4 referring to this PR? (In reply to Evilham from comment #7) AFAIK, vuxml does not need to be updated, as end-users don't directly use security/vuxml port, but instead they use the audit file (using pkg-audit(8)) available from FreeBSD mirrors. And also, I don't see any commits in security/vuxml commit log[0] for the time frame of 2021Q4 branch, or in older quarterly branches for that matter. References: [0] https://cgit.freebsd.org/ports/log/security/vuxml?h=2021Q4 HTH |
