Bug 244279 - net-im/py-matrix-synapse: Update to 1.11.0
Summary: net-im/py-matrix-synapse: Update to 1.11.0
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: freebsd-ports-bugs mailing list
URL:
Keywords: buildisok, security
Depends on: 244366
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-21 12:18 UTC by Alexander Sieg
Modified: 2020-03-13 04:18 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (ports)
koobs: merge-quarterly?


Attachments
patch (869 bytes, patch)
2020-02-21 12:18 UTC, Alexander Sieg
no flags Details | Diff
net-im/py-matrix-synapse: update to 1.11.1 (fixes security issue) (1001 bytes, patch)
2020-03-03 19:59 UTC, Sascha Biberhofer
no flags Details | Diff
vuxml entry for py-matrix-synapse versions prior to 1.11.1 (1012 bytes, application/xml)
2020-03-05 13:22 UTC, Sascha Biberhofer
ports: maintainer-approval+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Sieg 2020-02-21 12:18:47 UTC
Update to 1.11.0
Comment 1 Alexander Sieg 2020-02-21 12:18:51 UTC
Created attachment 211798 [details]
patch
Comment 2 Automation User 2020-02-21 12:42:23 UTC
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/119937222
Comment 3 Sascha Biberhofer 2020-02-24 13:05:45 UTC
Hi! I think this update introduces a problem w/ the sqlite support, as is noticable when running the testsuit. According to upstream, it seems that synapse now relies on the json1 support within sqlite3.

By default, however, the packaged version of sqlite3 in FreeBSD doesn't contain this support, which probably break synapse for anyone using synapse w/ an sqlite3 backend on FreeBSD.

I'm not sure how to proceed from here. I can't, to the best of my knowledge, directly depend on a given option in a port. The only way to fix this might be to include the json1 option in sqlite3, for which I'll file a seperate bug report.

I'm also in contact with upstream to see if and how we can resolve this any other way.
Comment 4 Sascha Biberhofer 2020-03-03 19:59:29 UTC
Created attachment 212130 [details]
net-im/py-matrix-synapse: update to 1.11.1 (fixes security issue)

In the meantime, the matrix developers have released version 1.11.1, an update which fixes a security vulnerability in synapse (see [1]). One should not that this vulnerability only affects users using SSO with synapse. I will probably write a vuxml entry for this tomorrow.

The attached patch should bump our port to 1.11.1, but we still need an sqlite3 version supporting JSON1, otherwise the update breaks sqlite installations.

[1] https://github.com/matrix-org/synapse/releases/tag/v1.11.1
Comment 5 Sascha Biberhofer 2020-03-05 13:22:15 UTC
Created attachment 212157 [details]
vuxml entry for py-matrix-synapse versions prior to 1.11.1

Here's a vuxml entry for this issue.
Comment 6 commit-hook freebsd_committer 2020-03-11 10:58:24 UTC
A commit references this bug:

Author: decke
Date: Wed Mar 11 10:58:21 UTC 2020
New revision: 528227
URL: https://svnweb.freebsd.org/changeset/ports/528227

Log:
  Document py-matrix-synapse vulnerabilities

  PR:		244279
  Submitted by:	Sascha Biberhofer <ports@skyforge.at>

Changes:
  head/security/vuxml/vuln.xml