Bug 244279 - net-im/py-matrix-synapse: Update to 1.12.3
Summary: net-im/py-matrix-synapse: Update to 1.12.3
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Danilo G. Baio
URL:
Keywords: security
Depends on: 244366
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-21 12:18 UTC by Alexander Sieg
Modified: 2020-04-22 10:56 UTC (History)
7 users (show)

See Also:
ports: maintainer-feedback+
dbaio: merge-quarterly+


Attachments
patch (869 bytes, patch)
2020-02-21 12:18 UTC, Alexander Sieg
no flags Details | Diff
net-im/py-matrix-synapse: update to 1.11.1 (fixes security issue) (1001 bytes, patch)
2020-03-03 19:59 UTC, Sascha Biberhofer
no flags Details | Diff
vuxml entry for py-matrix-synapse versions prior to 1.11.1 (1012 bytes, application/xml)
2020-03-05 13:22 UTC, Sascha Biberhofer
ports: maintainer-approval+
Details
net-im/py-matrix-synapse: Update to 1.12.3 (1001 bytes, patch)
2020-04-11 18:25 UTC, Sascha Biberhofer
ports: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Sieg 2020-02-21 12:18:47 UTC
Update to 1.11.0
Comment 1 Alexander Sieg 2020-02-21 12:18:51 UTC
Created attachment 211798 [details]
patch
Comment 2 Automation User 2020-02-21 12:42:23 UTC
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/119937222
Comment 3 Sascha Biberhofer 2020-02-24 13:05:45 UTC
Hi! I think this update introduces a problem w/ the sqlite support, as is noticable when running the testsuit. According to upstream, it seems that synapse now relies on the json1 support within sqlite3.

By default, however, the packaged version of sqlite3 in FreeBSD doesn't contain this support, which probably break synapse for anyone using synapse w/ an sqlite3 backend on FreeBSD.

I'm not sure how to proceed from here. I can't, to the best of my knowledge, directly depend on a given option in a port. The only way to fix this might be to include the json1 option in sqlite3, for which I'll file a seperate bug report.

I'm also in contact with upstream to see if and how we can resolve this any other way.
Comment 4 Sascha Biberhofer 2020-03-03 19:59:29 UTC
Created attachment 212130 [details]
net-im/py-matrix-synapse: update to 1.11.1 (fixes security issue)

In the meantime, the matrix developers have released version 1.11.1, an update which fixes a security vulnerability in synapse (see [1]). One should not that this vulnerability only affects users using SSO with synapse. I will probably write a vuxml entry for this tomorrow.

The attached patch should bump our port to 1.11.1, but we still need an sqlite3 version supporting JSON1, otherwise the update breaks sqlite installations.

[1] https://github.com/matrix-org/synapse/releases/tag/v1.11.1
Comment 5 Sascha Biberhofer 2020-03-05 13:22:15 UTC
Created attachment 212157 [details]
vuxml entry for py-matrix-synapse versions prior to 1.11.1

Here's a vuxml entry for this issue.
Comment 6 commit-hook freebsd_committer 2020-03-11 10:58:24 UTC
A commit references this bug:

Author: decke
Date: Wed Mar 11 10:58:21 UTC 2020
New revision: 528227
URL: https://svnweb.freebsd.org/changeset/ports/528227

Log:
  Document py-matrix-synapse vulnerabilities

  PR:		244279
  Submitted by:	Sascha Biberhofer <ports@skyforge.at>

Changes:
  head/security/vuxml/vuln.xml
Comment 7 Sascha Biberhofer 2020-04-11 18:25:51 UTC
Created attachment 213297 [details]
net-im/py-matrix-synapse: Update to 1.12.3

After skipping on 1.12.0 due to problems in postgres-only configurations (see [1]), we've now reached 1.12.3. This version has worked fine on my server for the last few days and also works with the py-twisted version currently discussed in [2]. 

It should be noted that py-matrix-synapse is currently vulnerable to the request smuggling CVE contained in the old py-twisted version, as was mentioned in the release noted of synapse in [3]. 

This update is of course still blocked by the missing JSON1 option in sqlite, which has since been incorporated into [4].

[1] https://github.com/matrix-org/synapse/issues/7127
[2] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245252
[3] https://github.com/matrix-org/synapse/releases/tag/v1.12.0
[4] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243602
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2020-04-12 23:58:16 UTC
(In reply to Sascha Biberhofer from comment #7)

If this change (matrix update), requires any of the other issues (bug 245252 bug 243602), please add them to the Depends On field
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2020-04-20 10:44:53 UTC
@Sascha Can you confirm 

- this version update can land independently from the twisted update in bug 245252, modulo the request smuggling vulnerability in the current version you mentioned in comment 7

- That this version is OK with the current version of Twisted in ports (I haven't had a chance to run through any requirements changes)
Comment 10 Sascha Biberhofer 2020-04-20 12:08:23 UTC
(In reply to Kubilay Kocak from comment #9)

Sorry for the delay. The synapse update is completely independent of the updates in bug 245252 and bug 243602. This is particularly true for the py-twisted update, otherwise I'd have bumped the dependency requirements. :)

We only depend on the JSON1 option of sqlite3 mention in bug 244366, so the "depends on" information is still accurate.

However, as you've noted, we're still vulnerable to request smuggling without the py-twisted update. This is however a different issue and probably more suitably discussed in bug 245252, py-matrix-synapse 1.12.3 works with either version.
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2020-04-21 03:32:05 UTC
Thank you for the detail and confirmation. Danilo (dbaio) is taking care of QA'ing Firefox/Thunderbird with (only) JSOn1 enabled. We should be good to progress this and the dependent issue after that
Comment 12 commit-hook freebsd_committer 2020-04-21 15:03:32 UTC
A commit references this bug:

Author: dbaio
Date: Tue Apr 21 15:02:33 UTC 2020
New revision: 532273
URL: https://svnweb.freebsd.org/changeset/ports/532273

Log:
  net-im/py-matrix-synapse: Update to 1.12.3, Fixes security vulnerability

  Changelog:	https://github.com/matrix-org/synapse/blob/v1.12.3/CHANGES.md

  PR:		244279
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  Reported by:	Alexander Sieg <ports@xanderio.de>
  MFH:		2020Q2
  X-MFH-with:	532268
  Security:	1afe9552-5ee3-11ea-9b6d-901b0e934d69

Changes:
  head/net-im/py-matrix-synapse/Makefile
  head/net-im/py-matrix-synapse/distinfo
Comment 13 commit-hook freebsd_committer 2020-04-22 10:53:23 UTC
A commit references this bug:

Author: dbaio
Date: Wed Apr 22 10:52:21 UTC 2020
New revision: 532465
URL: https://svnweb.freebsd.org/changeset/ports/532465

Log:
  MFH: r532273

  net-im/py-matrix-synapse: Update to 1.12.3, Fixes security vulnerability

  Changelog:	https://github.com/matrix-org/synapse/blob/v1.12.3/CHANGES.md

  PR:		244279
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  Reported by:	Alexander Sieg <ports@xanderio.de>
  X-MFH-with:	532268
  Security:	1afe9552-5ee3-11ea-9b6d-901b0e934d69

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/net-im/py-matrix-synapse/Makefile
  branches/2020Q2/net-im/py-matrix-synapse/distinfo
Comment 14 Danilo G. Baio freebsd_committer 2020-04-22 10:56:44 UTC
Committed, thank you all!