Bug 242702 - net-im/py-matrix-synapse: Update to 1.7.1 (fixes security vulnerabilities)
Summary: net-im/py-matrix-synapse: Update to 1.7.1 (fixes security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Bernhard Froehlich
URL:
Keywords: buildisok, security
Depends on:
Blocks:
 
Reported: 2019-12-18 12:27 UTC by Sascha Biberhofer
Modified: 2020-01-11 14:15 UTC (History)
2 users (show)

See Also:
koobs: merge-quarterly-


Attachments
net-im/py-matrix-synapse patch from 1.6.1 to 1.7.1 (2.38 KB, patch)
2019-12-18 12:27 UTC, Sascha Biberhofer
no flags Details | Diff
vuxml entry for py-matrix-synapse releases prior to 1.7.1 (1.29 KB, application/xml)
2019-12-18 15:38 UTC, Sascha Biberhofer
no flags Details
net-im/py-matrix-synapse patch from 1.6.1 to 1.7.2 (2.38 KB, patch)
2019-12-20 15:46 UTC, Sascha Biberhofer
ports: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Biberhofer 2019-12-18 12:27:23 UTC
Created attachment 210030 [details]
net-im/py-matrix-synapse patch from 1.6.1 to 1.7.1

The matrix team has just released the 1.7.1 version of synapse containing three security relevant fixes[1]. 

In addition to this, the 1.7.0 release now strongly recommends the use of postgresql. Sqlite is only recommended for testing or small non-federated setups and future releases of synapse may disable federation by default for instances using sqlite, see [2].

I've therefore included PGSQL as a default option and updated the pkg-message with a note on upgrade. In addition, I've added the postges setup/migration documentation to the installed docfiles.

I'll also write a vuxml entry for this, once a have a few more minutes to spare. 

The updated 1.7.1 port builds and runs fine for me. 

Cheers,
Sascha

[1] https://github.com/matrix-org/synapse/releases/tag/v1.7.1
[2] https://github.com/matrix-org/synapse/releases/tag/v1.7.0
Comment 1 Automation User 2019-12-18 12:52:56 UTC
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/104025583
Comment 2 Sascha Biberhofer 2019-12-18 15:38:47 UTC
Created attachment 210038 [details]
vuxml entry for py-matrix-synapse releases prior to 1.7.1

Here's the vuxml entry adapted from the release notes. :)
Comment 3 Sascha Biberhofer 2019-12-20 15:46:56 UTC
Created attachment 210084 [details]
net-im/py-matrix-synapse patch from 1.6.1 to 1.7.2

Here's another bump to 1.7.2, which includes two bugfixes for regressions introduced in the 1.7 release.
Comment 4 commit-hook freebsd_committer 2019-12-20 21:06:33 UTC
A commit references this bug:

Author: decke
Date: Fri Dec 20 21:05:45 UTC 2019
New revision: 520526
URL: https://svnweb.freebsd.org/changeset/ports/520526

Log:
  Document py-matrix-synapse vulnerabilities

  PR:		242702
  Submitted by:	Sascha Biberhofer <ports@skyforge.at>

Changes:
  head/security/vuxml/vuln.xml
Comment 5 Bernhard Froehlich freebsd_committer 2019-12-20 21:08:10 UTC
I'll take it
Comment 6 commit-hook freebsd_committer 2019-12-20 21:16:35 UTC
A commit references this bug:

Author: decke
Date: Fri Dec 20 21:16:09 UTC 2019
New revision: 520527
URL: https://svnweb.freebsd.org/changeset/ports/520527

Log:
  net-im/py-matrix-synapse:
  - Update to 1.7.2
  - Enable PostgreSQL support per default as recommended from upstream
  - Add messages for updating

  PR:		242702
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)

Changes:
  head/net-im/py-matrix-synapse/Makefile
  head/net-im/py-matrix-synapse/distinfo
  head/net-im/py-matrix-synapse/files/pkg-message.in
Comment 7 Bernhard Froehlich freebsd_committer 2019-12-20 21:16:51 UTC
Committed, Thanks!
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2019-12-21 01:32:24 UTC
The change to the default backend should have been separated from the security update. Combining them makes it more difficult to merge to the quarterly branch
Comment 9 Sascha Biberhofer 2019-12-21 10:09:36 UTC
(In reply to Kubilay Kocak from comment #8)
While I can see your point, I wouldn't really call this a change to the default backend. The package just pulls in both backends now, so people have a choice by default and no longer need to install the postgres dependencies manually. I didn't drop sqlite from the default options so that existing installations are not affected, but I would like to think about this in a future release.

The 1.7 release itself also doesn't change the way sqlite is handled, it just prints a tiny warning on start making it more clear to the user that sqlite comes with performance limitations, so sqlite users shouldn't be affected in any way by the new version and don't need to migrate anything on update in the immediate future.

I hope this is "ok" (while probably not ideal) for a merge into quarterly, but if there's anything else I can (and should) do about this then please let me know.
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2020-01-11 14:15:32 UTC
^Triage: Track no MFH