FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
27aa2253-4c72-11ec-b6b9-e86a64caca56py-matrix-synapse -- several vulnerabilities

Matrix developers report:

This release patches one high severity issue affecting Synapse installations 1.47.0 and earlier using the media repository. An attacker could cause these Synapses to download a remote file and store it in a directory outside the media repository.

Note that:

  • This only affects homeservers using Synapse's built-in media repository, as opposed to synapse-s3-storage-provider or matrix-media-repo.
  • Attackers cannot control the exact name or destination of the stored file.

Discovery 2021-11-18
Entry 2021-11-23
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse
py310-matrix-synapse
< 1.47.1

ports/259994
CVE-2021-41281
https://matrix.org/blog/2021/11/23/synapse-1-47-1-released
cfa0be42-3cd7-11eb-9de7-641c67a117d8py-matrix-synapse -- DoS on Federation API

Matrix developers reports:

A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /send_join, /send_leave, /invite or /exchange_third_party_invite request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers.


Discovery 2020-12-09
Entry 2020-12-13
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse
< 1.23.1

CVE-2020-26257
https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm
ports/251768
38d2df4d-b143-11e9-87e7-901b0e934d69py-matrix-synapse -- multiple vulnerabilities

Matrix developers report:

The matrix team releases Synapse 1.2.1 as a critical security update. It contains patches relating to redactions and event federation:

  • Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms.
  • Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely.
  • Prevent an attack where users could be joined or parted from public rooms without their consent.
  • Fix a vulnerability where a federated server could spoof read-receipts from users on other servers.
  • It was possible for a room moderator to send a redaction for an m.room.create event, which would downgrade the room to version 1.

Discovery 2019-07-26
Entry 2019-07-28
py27-matrix-synapse
py35-matrix-synapse
py36-matrix-synapse
py37-matrix-synapse
< 1.2.1

https://matrix.org/blog/2019/07/26/critical-security-update-synapse-1-2-1-released
https://github.com/matrix-org/synapse/releases/tag/v1.2.1
5f39d80f-107c-11eb-8b47-641c67a117d8py-matrix-synapse -- XSS vulnerability

Matrix developers reports:

The fallback authentication endpoint served via Synapse were vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.


Discovery 2020-10-01
Entry 2020-10-17
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse
< 1.21.0

CVE-2020-26891
https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq
https://github.com/matrix-org/synapse/releases/tag/v1.21.2
ports/249948
1afe9552-5ee3-11ea-9b6d-901b0e934d69py-matrix-synapse -- users of single-sign-on are vulnerable to phishing

Matrix developers report:

[The 1.11.1] release includes a security fix impacting installations using Single Sign-On (i.e. SAML2 or CAS) for authentication. Administrators of such installations are encouraged to upgrade as soon as possible.


Discovery 2020-03-03
Entry 2020-03-11
py35-matrix-synapse
py36-matrix-synapse
py37-matrix-synapse
< 1.11.1

https://github.com/matrix-org/synapse/releases/tag/v1.11.1
d9f686f3-fde0-48dc-ab0a-01c2fe3e0529py-matrix-synapse -- multiple vulnerabilities

Matrix developers report:

Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.

  • A malicious homeserver could force Synapse to reset the state in a room to a small subset of the correct state. This affects all Synapse deployments which federate with untrusted servers.
  • HTML pages served via Synapse were vulnerable to clickjacking attacks. This predominantly affects homeservers with single-sign-on enabled, but all server administrators are encouraged to upgrade.

Discovery 2020-07-02
Entry 2020-07-03
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
< 1.15.2

https://github.com/matrix-org/synapse/releases/tag/v1.15.2
a67e358c-0bf6-11ec-875e-901b0e9408dcpy-matrix-synapse -- several vulnerabilities

Matrix developers report:

This release patches two moderate severity issues which could reveal metadata about private rooms:

  • CVE-2021-39164: Enumerating a private room's list of members and their display names.
  • CVE-2021-39163: Disclosing a private room's name, avatar, topic, and number of members.

Discovery 2021-08-31
Entry 2021-09-02
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse
py310-matrix-synapse
< 1.41.1

ports/258187
CVE-2021-39164
CVE-2021-39163
https://matrix.org/blog/2021/08/31/synapse-1-41-1-released
ed8cbad5-21a8-11ea-9b6d-901b0e934d69py-matrix-synapse -- multiple vulnerabilities

Matrix developers report:

The [synapse 1.7.1] release includes several security fixes as well as a fix to a bug exposed by the security fixes. All previous releases of Synapse are affected. Administrators are encouraged to upgrade as soon as possible.

  • Fix a bug which could cause room events to be incorrectly authorized using events from a different room.
  • Fix a bug causing responses to the /context client endpoint to not use the pruned version of the event.
  • Fix a cause of state resets in room versions 2 onwards.

Discovery 2019-12-18
Entry 2019-12-18
py35-matrix-synapse
py36-matrix-synapse
py37-matrix-synapse
< 1.7.1

https://github.com/matrix-org/synapse/releases/tag/v1.7.1
383931ba-1818-11e9-92ea-448a5b29e8a9py-matrix-synapse -- undisclosed vulnerability

Matrix developers report:

The matrix team announces the availablility of synapse security releases 0.34.0.1 and 0.34.1.1, fixing CVE-2019-5885.


Discovery 2019-01-10
Entry 2019-01-15
py27-matrix-synapse
py35-matrix-synapse
py36-matrix-synapse
py37-matrix-synapse
< 0.34.1.1

CVE-2019-5885
https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1/
9c36d41c-11df-11ea-9b6d-901b0e934d69py-matrix-synapse -- incomplete cleanup of 3rd-party-IDs on user deactivation

Matrix developers report:

Clean up local threepids from user on account deactivation.


Discovery 2019-11-28
Entry 2019-11-28
py35-matrix-synapse
py36-matrix-synapse
py37-matrix-synapse
< 1.6.1

https://github.com/matrix-org/synapse/releases/tag/v1.6.1
https://github.com/matrix-org/synapse/pull/6426
07c0d782-f758-11ec-acaa-901b0e9408dcpy-matrix-synapse -- unbounded recursion in urlpreview

Matrix developers report:

This release fixes a vulnerability with Synapse's URL preview feature. URL previews of some web pages can lead to unbounded recursion, causing the request to either fail, or in some cases crash the running Synapse process.

Note that:

  • Homeservers with the url_preview_enabled configuration option set to false (the default value) are unaffected.
  • Instances with the enable_media_repo configuration option set to false are also unaffected, as this also disables the URL preview functionality.

Discovery 2022-06-28
Entry 2022-06-29
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse
py310-matrix-synapse
py311-matrix-synapse
< 1.61.1

CVE-2022-31052
https://matrix.org/blog/2022/06/28/security-release-synapse-1-61-1
42675046-fa70-11e9-ba4e-901b0e934d69py-matrix-synapse -- missing signature checks on some federation APIs

Matrix developers report:

Make sure that [...] events sent over /send_join, /send_leave, and /invite, are correctly signed and come from the expected servers.


Discovery 2019-10-29
Entry 2019-10-29
py35-matrix-synapse
py36-matrix-synapse
py37-matrix-synapse
< 1.5.0

https://github.com/matrix-org/synapse/pull/6262
https://github.com/matrix-org/synapse/releases/tag/v1.5.0
278561d7-b261-11eb-b788-901b0e934d69py-matrix-synapse -- malicious push rules may be used for a denial of service attack.

Matrix developers report:

"Push rules" can specify conditions under which they will match, including event_match, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events.


Discovery 2021-05-11
Entry 2021-05-11
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse
< 1.33.2

CVE-2021-29471
https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85
2327234d-fc4b-11ea-adef-641c67a117d8py-matrix-synapse -- malformed events may prevent users from joining federated rooms

Problem Description:

Affected Synapse versions assume that all events have an "origin" field set. If an event without the "origin" field is sent into a federated room, servers not already joined to the room will be unable to do so due to failing to fetch the malformed event.

Impact:

An attacker could cause a denial of service by deliberately sending a malformed event into a room, thus preventing new servers (and thus their users) from joining the room.


Discovery 2020-09-16
Entry 2020-09-21
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
< 1.19.2

https://github.com/matrix-org/synapse/issues/8319
https://github.com/matrix-org/synapse/pull/8324
https://github.com/matrix-org/synapse/blob/v1.19.3/CHANGES.md