Bug 247720 - net-im/py-matrix-synapse: Update to 1.15.2 (security)
Summary: net-im/py-matrix-synapse: Update to 1.15.2 (security)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Li-Wen Hsu
URL: https://github.com/matrix-org/synapse...
Keywords: buildisok, security
Depends on:
Blocks:
 
Reported: 2020-07-02 17:29 UTC by Sascha Biberhofer
Modified: 2020-07-05 02:58 UTC (History)
3 users (show)

See Also:
koobs: merge-quarterly+


Attachments
net-im/py-matrix-synapse: 1.14.0 to 1.15.2 (1.45 KB, patch)
2020-07-02 17:29 UTC, Sascha Biberhofer
ports: maintainer-approval+
Details | Diff
py-matrix-synapse 1.15.2 vuln.xml entry (1.34 KB, application/xml)
2020-07-02 17:33 UTC, Sascha Biberhofer
ports: maintainer-approval+
Details
py-matrix-synapse 1.15.2 vuln.xml entry (patch format) (1.83 KB, patch)
2020-07-03 06:44 UTC, Sascha Biberhofer
ports: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Biberhofer 2020-07-02 17:29:39 UTC
Created attachment 216148 [details]
net-im/py-matrix-synapse: 1.14.0 to 1.15.2

The matrix developers have just released synapse 1.15.2 (see [1]), containing security fixes for two vulnerabilities:

- A malicious homeserver could force Synapse to reset the state in a room to a small subset of the correct state. This affects all Synapse deployments which federate with untrusted servers. (96e9afe6)

- HTML pages served via Synapse were vulnerable to clickjacking attacks. This predominantly affects homeservers with single-sign-on enabled, but all server administrators are encouraged to upgrade. (ea26e9a9)

This patch bumps the port to the aforementioned version. It also adds www/py-pyjwt to the test dependencies, which is necessary to make the testsuite pass successfully.

portlint: "OK" (4 Warnings, none new)
testport: OK (poudriere: 121amd64)
do-test: OK (Ran 1063 tests in 327.652s, PASSED (skips=5, successes=1058))

The resulting port also runs fine on my server.

Cheers,
Sascha

[1] https://github.com/matrix-org/synapse/releases/tag/v1.15.2
Comment 1 Sascha Biberhofer 2020-07-02 17:33:45 UTC
Created attachment 216149 [details]
py-matrix-synapse 1.15.2 vuln.xml entry

Here's the vuxml entry for this incident.
Comment 2 Automation User 2020-07-02 17:52:48 UTC
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/162580406
Comment 3 Li-Wen Hsu freebsd_committer 2020-07-03 04:25:34 UTC
(In reply to Sascha Biberhofer from comment #1)
Is it possible to convert this to a patch against security/vuxml/vuln.xml?
Comment 4 Sascha Biberhofer 2020-07-03 06:44:41 UTC
Created attachment 216156 [details]
py-matrix-synapse 1.15.2 vuln.xml entry (patch format)
Comment 5 Sascha Biberhofer 2020-07-03 06:46:52 UTC
(In reply to Li-Wen Hsu from comment #3)

Done. I avoided the patch since vuln.xml changes so rapidly that I wasn't sure a diff would apply cleanly. :)
Comment 6 Li-Wen Hsu freebsd_committer 2020-07-03 06:56:57 UTC
(In reply to Sascha Biberhofer from comment #5)
Thanks, although it might not be able to apply directly but it reduce much time on format editing. :-)  Oh, I probably should have asked "vuxml format" which should be easier for both of us.  I'll remember that next time.
Comment 7 commit-hook freebsd_committer 2020-07-03 07:04:45 UTC
A commit references this bug:

Author: lwhsu
Date: Fri Jul  3 07:04:06 UTC 2020
New revision: 541079
URL: https://svnweb.freebsd.org/changeset/ports/541079

Log:
  Document net-im/py-matrix-synapse security issue before 1.15.2

  PR:		247720
  Submitted by:	Sascha Biberhofer <ports@skyforge.at>

Changes:
  head/security/vuxml/vuln.xml
Comment 8 commit-hook freebsd_committer 2020-07-03 07:06:47 UTC
A commit references this bug:

Author: lwhsu
Date: Fri Jul  3 07:06:28 UTC 2020
New revision: 541080
URL: https://svnweb.freebsd.org/changeset/ports/541080

Log:
  Update to 1.15.2

  PR:		247720
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  MFH:		2020Q3
  Security:	d9f686f3-fde0-48dc-ab0a-01c2fe3e0529

Changes:
  head/net-im/py-matrix-synapse/Makefile
  head/net-im/py-matrix-synapse/distinfo
Comment 9 Li-Wen Hsu freebsd_committer 2020-07-03 07:07:14 UTC
Wait for MFH.
Comment 10 commit-hook freebsd_committer 2020-07-04 09:27:06 UTC
A commit references this bug:

Author: lwhsu
Date: Sat Jul  4 09:26:59 UTC 2020
New revision: 541183
URL: https://svnweb.freebsd.org/changeset/ports/541183

Log:
  MFH: r541080

  Update to 1.15.2

  PR:		247720
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  Security:	d9f686f3-fde0-48dc-ab0a-01c2fe3e0529

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/net-im/py-matrix-synapse/Makefile
  branches/2020Q3/net-im/py-matrix-synapse/distinfo
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-05 02:58:13 UTC
^Triage: Track merge