FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
07c0d782-f758-11ec-acaa-901b0e9408dcpy-matrix-synapse -- unbounded recursion in urlpreview

Matrix developers report:

This release fixes a vulnerability with Synapse's URL preview feature. URL previews of some web pages can lead to unbounded recursion, causing the request to either fail, or in some cases crash the running Synapse process.

Note that:

  • Homeservers with the url_preview_enabled configuration option set to false (the default value) are unaffected.
  • Instances with the enable_media_repo configuration option set to false are also unaffected, as this also disables the URL preview functionality.

Discovery 2022-06-28
Entry 2022-06-29
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse
py310-matrix-synapse
py311-matrix-synapse
< 1.61.1

CVE-2022-31052
https://matrix.org/blog/2022/06/28/security-release-synapse-1-61-1
a67e358c-0bf6-11ec-875e-901b0e9408dcpy-matrix-synapse -- several vulnerabilities

Matrix developers report:

This release patches two moderate severity issues which could reveal metadata about private rooms:

  • CVE-2021-39164: Enumerating a private room's list of members and their display names.
  • CVE-2021-39163: Disclosing a private room's name, avatar, topic, and number of members.

Discovery 2021-08-31
Entry 2021-09-02
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse
py310-matrix-synapse
< 1.41.1

ports/258187
CVE-2021-39164
CVE-2021-39163
https://matrix.org/blog/2021/08/31/synapse-1-41-1-released
278561d7-b261-11eb-b788-901b0e934d69py-matrix-synapse -- malicious push rules may be used for a denial of service attack.

Matrix developers report:

"Push rules" can specify conditions under which they will match, including event_match, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events.


Discovery 2021-05-11
Entry 2021-05-11
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse
< 1.33.2

CVE-2021-29471
https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85
27aa2253-4c72-11ec-b6b9-e86a64caca56py-matrix-synapse -- several vulnerabilities

Matrix developers report:

This release patches one high severity issue affecting Synapse installations 1.47.0 and earlier using the media repository. An attacker could cause these Synapses to download a remote file and store it in a directory outside the media repository.

Note that:

  • This only affects homeservers using Synapse's built-in media repository, as opposed to synapse-s3-storage-provider or matrix-media-repo.
  • Attackers cannot control the exact name or destination of the stored file.

Discovery 2021-11-18
Entry 2021-11-23
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse
py310-matrix-synapse
< 1.47.1

ports/259994
CVE-2021-41281
https://matrix.org/blog/2021/11/23/synapse-1-47-1-released