Bug 247720 - net-im/py-matrix-synapse: Update to 1.15.2 (security)
Summary: net-im/py-matrix-synapse: Update to 1.15.2 (security)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Li-Wen Hsu
URL: https://github.com/matrix-org/synapse...
Keywords: buildisok, security
Depends on:
Blocks:
 
Reported: 2020-07-02 17:29 UTC by Sascha Biberhofer
Modified: 2020-07-05 02:58 UTC (History)
3 users (show)

See Also:
koobs: merge-quarterly+

Attachments
net-im/py-matrix-synapse: 1.14.0 to 1.15.2 (1.45 KB, patch)
2020-07-02 17:29 UTC, Sascha Biberhofer 		ports: maintainer-approval+
Details | Diff
py-matrix-synapse 1.15.2 vuln.xml entry (1.34 KB, application/xml)
2020-07-02 17:33 UTC, Sascha Biberhofer 		ports: maintainer-approval+
Details
py-matrix-synapse 1.15.2 vuln.xml entry (patch format) (1.83 KB, patch)
2020-07-03 06:44 UTC, Sascha Biberhofer 		ports: maintainer-approval+
Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Biberhofer 2020-07-02 17:29:39 UTC 
Created attachment 216148 [details]
net-im/py-matrix-synapse: 1.14.0 to 1.15.2

The matrix developers have just released synapse 1.15.2 (see [1]), containing security fixes for two vulnerabilities:

- A malicious homeserver could force Synapse to reset the state in a room to a small subset of the correct state. This affects all Synapse deployments which federate with untrusted servers. (96e9afe6)

- HTML pages served via Synapse were vulnerable to clickjacking attacks. This predominantly affects homeservers with single-sign-on enabled, but all server administrators are encouraged to upgrade. (ea26e9a9)

This patch bumps the port to the aforementioned version. It also adds www/py-pyjwt to the test dependencies, which is necessary to make the testsuite pass successfully.

portlint: "OK" (4 Warnings, none new)
testport: OK (poudriere: 121amd64)
do-test: OK (Ran 1063 tests in 327.652s, PASSED (skips=5, successes=1058))

The resulting port also runs fine on my server.

Cheers,
Sascha

[1] https://github.com/matrix-org/synapse/releases/tag/v1.15.2
Comment 1 Sascha Biberhofer 2020-07-02 17:33:45 UTC 
Created attachment 216149 [details]
py-matrix-synapse 1.15.2 vuln.xml entry

Here's the vuxml entry for this incident.
Comment 2 Automation User 2020-07-02 17:52:48 UTC 
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/162580406
Comment 3 Li-Wen Hsu freebsd_committer freebsd_triage 2020-07-03 04:25:34 UTC 
(In reply to Sascha Biberhofer from comment #1)
Is it possible to convert this to a patch against security/vuxml/vuln.xml?
Comment 4 Sascha Biberhofer 2020-07-03 06:44:41 UTC 
Created attachment 216156 [details]
py-matrix-synapse 1.15.2 vuln.xml entry (patch format)
Comment 5 Sascha Biberhofer 2020-07-03 06:46:52 UTC 
(In reply to Li-Wen Hsu from comment #3)

Done. I avoided the patch since vuln.xml changes so rapidly that I wasn't sure a diff would apply cleanly. :)
Comment 6 Li-Wen Hsu freebsd_committer freebsd_triage 2020-07-03 06:56:57 UTC 
(In reply to Sascha Biberhofer from comment #5)
Thanks, although it might not be able to apply directly but it reduce much time on format editing. :-)  Oh, I probably should have asked "vuxml format" which should be easier for both of us.  I'll remember that next time.
Comment 7 commit-hook freebsd_committer freebsd_triage 2020-07-03 07:04:45 UTC 
A commit references this bug:

Author: lwhsu
Date: Fri Jul  3 07:04:06 UTC 2020
New revision: 541079
URL: https://svnweb.freebsd.org/changeset/ports/541079

Log:
  Document net-im/py-matrix-synapse security issue before 1.15.2

  PR:		247720
  Submitted by:	Sascha Biberhofer <ports@skyforge.at>

Changes:
  head/security/vuxml/vuln.xml
Comment 8 commit-hook freebsd_committer freebsd_triage 2020-07-03 07:06:47 UTC 
A commit references this bug:

Author: lwhsu
Date: Fri Jul  3 07:06:28 UTC 2020
New revision: 541080
URL: https://svnweb.freebsd.org/changeset/ports/541080

Log:
  Update to 1.15.2

  PR:		247720
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  MFH:		2020Q3
  Security:	d9f686f3-fde0-48dc-ab0a-01c2fe3e0529

Changes:
  head/net-im/py-matrix-synapse/Makefile
  head/net-im/py-matrix-synapse/distinfo
Comment 9 Li-Wen Hsu freebsd_committer freebsd_triage 2020-07-03 07:07:14 UTC 
Wait for MFH.
Comment 10 commit-hook freebsd_committer freebsd_triage 2020-07-04 09:27:06 UTC 
A commit references this bug:

Author: lwhsu
Date: Sat Jul  4 09:26:59 UTC 2020
New revision: 541183
URL: https://svnweb.freebsd.org/changeset/ports/541183

Log:
  MFH: r541080

  Update to 1.15.2

  PR:		247720
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  Security:	d9f686f3-fde0-48dc-ab0a-01c2fe3e0529

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/net-im/py-matrix-synapse/Makefile
  branches/2020Q3/net-im/py-matrix-synapse/distinfo
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-05 02:58:13 UTC 
^Triage: Track merge