Bug 234828 - update net-im/py-matrix-synapse to 0.34.1.1, fix CVE-2019-5885
Summary: update net-im/py-matrix-synapse to 0.34.1.1, fix CVE-2019-5885
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Steve Wills
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-10 17:07 UTC by Sascha Biberhofer
Modified: 2019-01-15 12:23 UTC (History)
2 users (show)

See Also:


Attachments
patch to update net-im/py-matrix-synapse to 0.34.1.1 (2.63 KB, patch)
2019-01-10 17:07 UTC, Sascha Biberhofer
no flags Details | Diff
vuln.xml entry for py-matrix-synapse (929 bytes, text/plain)
2019-01-14 16:46 UTC, Sascha Biberhofer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Biberhofer 2019-01-10 17:07:24 UTC
Created attachment 200991 [details]
patch to update net-im/py-matrix-synapse to 0.34.1.1

The synapse team just released 0.34.1.1, fixing CVE-2019-5885, see [1].

I've bumped the version, and some minor dependencies. I had to patch python_dependencies.py to avoid a version check against the prometheus library, as the version shipped w/ FreeBSD is more recent than the one officially supported by synapse.

As a consequence, this update may break monitoring w/ prometheus as it renames some metrics exported by synapse w/ the old version, see [2]. This seems unavoidable however, as our synapse package is either broken or exports different metric names, hence I chose the lesser evil. 

In any case, the new version seems to work fine. We should probably update this asap and push it to the quarterly repos too.

Cheers,
Sascha

[1] https://github.com/matrix-org/synapse/releases/tag/v0.34.1.1
[2] https://github.com/matrix-org/synapse/issues/4221
Comment 1 Steve Wills freebsd_committer 2019-01-14 16:02:32 UTC
I can't seem to find enough information on this CVE to create a VuXML entry. Is the issue not public yet? Or can you point me at the info or write a VuXML entry?
Comment 2 Sascha Biberhofer 2019-01-14 16:45:54 UTC
(In reply to Steve Wills from comment #1)

The CVE is not yet public, but will probably be at some point later today (according to communications w/ upstream). The only public information on this vulnerability is currently [1] afaik. I'll add a patch w/ a preliminary vuln.xml entry based on these facts (though I've never made one before, so I hope this turns out ok).

Cheers,
Sascha

[1] https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1/
Comment 3 Sascha Biberhofer 2019-01-14 16:46:54 UTC
Created attachment 201133 [details]
vuln.xml entry for py-matrix-synapse
Comment 4 commit-hook freebsd_committer 2019-01-15 12:21:26 UTC
A commit references this bug:

Author: swills
Date: Tue Jan 15 12:20:44 UTC 2019
New revision: 490365
URL: https://svnweb.freebsd.org/changeset/ports/490365

Log:
  Document py-matrix-synapse issue

  PR:		234828
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (with slight editing)

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer 2019-01-15 12:21:29 UTC
A commit references this bug:

Author: swills
Date: Tue Jan 15 12:21:09 UTC 2019
New revision: 490366
URL: https://svnweb.freebsd.org/changeset/ports/490366

Log:
  net-im/py-matrix-synapse: update to 0.34.1.1, fix CVE-2019-5885

  PR:		234828
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  MFH:		2019Q1
  Security:	383931ba-1818-11e9-92ea-448a5b29e8a9

Changes:
  head/net-im/py-matrix-synapse/Makefile
  head/net-im/py-matrix-synapse/distinfo
  head/net-im/py-matrix-synapse/files/patch-python_dependencies.py
Comment 6 commit-hook freebsd_committer 2019-01-15 12:22:33 UTC
A commit references this bug:

Author: swills
Date: Tue Jan 15 12:22:07 UTC 2019
New revision: 490367
URL: https://svnweb.freebsd.org/changeset/ports/490367

Log:
  MFH: r490366

  net-im/py-matrix-synapse: update to 0.34.1.1, fix CVE-2019-5885

  PR:		234828
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  Security:	383931ba-1818-11e9-92ea-448a5b29e8a9
  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2019Q1/
  branches/2019Q1/net-im/py-matrix-synapse/Makefile
  branches/2019Q1/net-im/py-matrix-synapse/distinfo
  branches/2019Q1/net-im/py-matrix-synapse/files/patch-python_dependencies.py
Comment 7 Steve Wills freebsd_committer 2019-01-15 12:23:29 UTC
Committed, thanks!