Bug 241574 - net-im/py-matrix-synapse: update to 1.5.0, fix security issue
Summary: net-im/py-matrix-synapse: update to 1.5.0, fix security issue
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bernhard Froehlich
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-29 18:03 UTC by Sascha Biberhofer
Modified: 2019-11-28 17:06 UTC (History)
2 users (show)

See Also:
ports: maintainer-feedback+


Attachments
update net-im/py-matrix-synapse to 1.5.0 (1.91 KB, patch)
2019-10-29 18:03 UTC, Sascha Biberhofer
no flags Details | Diff
vuxml entry for the new net-im/py-matrix-synapse security issue (1.44 KB, patch)
2019-10-29 18:04 UTC, Sascha Biberhofer
no flags Details | Diff
update net-im/py-matrix-synapse to 1.6.1 (2.47 KB, patch)
2019-11-28 13:20 UTC, Sascha Biberhofer
ports: maintainer-approval+
Details | Diff
another vuxml entry for the 1.6.1 vulnerability (925 bytes, text/plain)
2019-11-28 13:23 UTC, Sascha Biberhofer
ports: maintainer-approval+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Biberhofer 2019-10-29 18:03:23 UTC
Created attachment 208679 [details]
update net-im/py-matrix-synapse to 1.5.0

I've attached both a patch for the py-matrix-synapse port as well as a vuxml-entry for the recent 1.5.0 release. The patch is mostly a simple version bump w/ an additional dependency in accordance with upstream changes. I've also upgraded the sample log configuration for recent synapse releases.
Comment 1 Sascha Biberhofer 2019-10-29 18:04:17 UTC
Created attachment 208680 [details]
vuxml entry for the new net-im/py-matrix-synapse security issue
Comment 2 Sascha Biberhofer 2019-11-28 13:20:52 UTC
Created attachment 209510 [details]
update net-im/py-matrix-synapse to 1.6.1

Synapse is now at 1.6.1. The 1.6 release has removed one dependency, which I've reflected in the port accordingly. Additionally, the 1.6.1 release is another security release, see [1]. There's very little information on the nature of this security release, but I'll add a vuxml entry in the next comment. 

It would be nice if we could get these updates committed. That's now two security issues that our users might be unaware of. 

As for stability, 1.6.1 is currently running fine on my own server. I'm always grateful for feedback, if anyone wants to give this a spin. 

Cheers,
Sascha

[1] https://github.com/matrix-org/synapse/releases/tag/v1.6.1
Comment 3 Sascha Biberhofer 2019-11-28 13:23:11 UTC
Created attachment 209511 [details]
another vuxml entry for the 1.6.1 vulnerability

Here's the vuxml entry for the 1.6.1 release. Since there are very few details on the kind of security vulnerability, I've kept it pretty basic. Feedback is welcome, as usual. :)
Comment 4 commit-hook freebsd_committer 2019-11-28 15:45:30 UTC
A commit references this bug:

Author: decke
Date: Thu Nov 28 15:44:53 UTC 2019
New revision: 518587
URL: https://svnweb.freebsd.org/changeset/ports/518587

Log:
  Document net-im/py-matrix-synapse vulnerabilities

  PR:		241574
  Submitted by:	Sascha Biberhofer <ports@skyforge.at>

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer 2019-11-28 17:05:39 UTC
A commit references this bug:

Author: decke
Date: Thu Nov 28 17:05:12 UTC 2019
New revision: 518593
URL: https://svnweb.freebsd.org/changeset/ports/518593

Log:
  net-im/py-matrix-synapse: Update to 1.6.1 which also fixes two vulnerabitilies

  PR:		241574
  Submitted by:	Sascha Biberhofer <ports@skyforge.at>

Changes:
  head/net-im/py-matrix-synapse/Makefile
  head/net-im/py-matrix-synapse/distinfo
  head/net-im/py-matrix-synapse/files/log.config.in
Comment 6 Bernhard Froehlich freebsd_committer 2019-11-28 17:06:01 UTC
Committed, thanks!