Created attachment 229668 [details] net-im/py-matrix-synapse: Update to 1.47.1 This updates py-matrix-synapse to 1.47.1, which fixes a critical path traversal vulnerability when downloading remote media, see [1]. portlint: "OK" (3 Warnings, none new) testport: OK (poudriere: 130amd64) do-test: OK (Ran 2017 tests in 1007.761s, PASSED (skips=36, successes=1981)) Since this affects all versions of synapse we should probably MFH it to our quarterly branch, if possible. I'll also try and write a vuln.xml entry later tonight. Cheers, Sascha [1] https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c
Created attachment 229671 [details] vuxml for CVE-2021-41281 Thank you Sascha, here is the vuxml :-).
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a3987e103053782333cdcc1a0cd772d61f333b4e commit a3987e103053782333cdcc1a0cd772d61f333b4e Author: Sascha Biberhofer <ports@skyforge.at> AuthorDate: 2021-11-23 16:49:37 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2021-11-23 16:53:03 +0000 net-im/py-matrix-synapse: Update to 1.47.1 PR: 259994 MFH: 2021Q4 Security: 27aa2253-4c72-11ec-b6b9-e86a64caca56 Security: CVE-2021-41281 net-im/py-matrix-synapse/Makefile | 2 +- net-im/py-matrix-synapse/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c6782b5ef530f87268d42d171eef424244fb2822 commit c6782b5ef530f87268d42d171eef424244fb2822 Author: Evilham <contact@evilham.com> AuthorDate: 2021-11-23 16:45:05 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2021-11-23 16:53:00 +0000 security/vuxml: Document vulnerability in Matrix Synapse PR: 259994 Reported by: Sascha Biberhofer <ports at skyforge dot at> Security: 27aa2253-4c72-11ec-b6b9-e86a64caca56 Security: CVE-2021-41281 security/vuxml/vuln-2021.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
Just an update here to explain the delay in merging to quarterly branch. Apparently 1.47.1 depends on www/py-pyjwt1 which is not in the quarterly branch :/.
A commit in branch 2021Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=06d01a3e6b0a2d6ac9f2c29b2f0a68605f30e0b6 commit 06d01a3e6b0a2d6ac9f2c29b2f0a68605f30e0b6 Author: Sascha Biberhofer <ports@skyforge.at> AuthorDate: 2021-11-23 16:49:37 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2021-11-24 11:20:29 +0000 net-im/py-matrix-synapse: Update to 1.47.1 PR: 259994 MFH: 2021Q4 Security: 27aa2253-4c72-11ec-b6b9-e86a64caca56 Security: CVE-2021-41281 (cherry picked from commit a3987e103053782333cdcc1a0cd772d61f333b4e) net-im/py-matrix-synapse/Makefile | 2 +- net-im/py-matrix-synapse/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
Committed to quarterly after making sure it does not break INDEX, and builds fine, and checking with portmgr@ (Thanks tcberner@). Thanks!
Lovely, thank you! Ignorance asking here: shouldn't vuxml be updated too in 2021Q4 referring to this PR?
(In reply to Evilham from comment #7) AFAIK, vuxml does not need to be updated, as end-users don't directly use security/vuxml port, but instead they use the audit file (using pkg-audit(8)) available from FreeBSD mirrors. And also, I don't see any commits in security/vuxml commit log[0] for the time frame of 2021Q4 branch, or in older quarterly branches for that matter. References: [0] https://cgit.freebsd.org/ports/log/security/vuxml?h=2021Q4 HTH