Debian Bug report logs -
#908044
matrix-synapse: CVE-2018-16515: Failures to correctly validate signatures on transactions and events
Reported by: Andrej Shadura <andrewsh@debian.org>
Date: Wed, 5 Sep 2018 13:15:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version matrix-synapse/0.33.3-1
Fixed in version matrix-synapse/0.33.3.1-1
Done: Andrej Shadura <andrewsh@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Matrix Packaging Team <pkg-matrix-maintainers@lists.alioth.debian.org>:
Bug#908044; Package matrix-synapse.
(Wed, 05 Sep 2018 13:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Andrej Shadura <andrewsh@debian.org>:
New Bug report received and forwarded. Copy sent to Matrix Packaging Team <pkg-matrix-maintainers@lists.alioth.debian.org>.
(Wed, 05 Sep 2018 13:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: matrix-synapse
Version: 0.33.3-1
Severity: grave
Tags: patch security upstream
Control: fixed -1 0.33.3.1-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
From
https://matrix.org/blog/2018/09/05/pre-disclosure-upcoming-critical-security-fix-for-synapse/:
> During the ongoing work to finalise a stable release of Matrix’s
> Server-Server federation API, we’ve been doing a full audit of
> Synapse’s implementation and have identified a serious vulnerability
> which we are going to release a security update to address (Synapse
> 0.33.3.1) on Thursday Sept 6th 2018 at 12:00 UTC.
- --
Cheers,
Andrej
-----BEGIN PGP SIGNATURE-----
iQFIBAEBCAAyFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAluP1gAUHGFuZHJld3No
QGRlYmlhbi5vcmcACgkQXkCM2RzYOdJKCQgAibJqmoQ7GMUugRTWTy1fmkEMVXvg
4GwBbhJ2pbuiI01EsOpG81K/XEg2GRFdH9iKLjKzpVWInDBZb+2g8v/TFw9Vk2J4
BSrALMBQBqUkaGZ7fx4/Ul4djw5rWmN+Op2Uh/IY3qx+lIiWlBcjITV9scwuL2aI
89wrt4JyOrbWiqfRnFsjiE2IWzoJr4hw79yQtsu/N0qceOv4xfDOUUdqYF3S6vld
25OobDqLkN9bCs6RyADXZbpdQzRhfY6ETQdI7P9BxFy/MJeuJuK+aFCfwJvSxhaO
nD0CdGnIQrTypL1bIENo13JIoBejno2Xg0kStz1zNElrZVAw9sY73ptaag==
=5L8n
-----END PGP SIGNATURE-----
Marked as fixed in versions 0.33.3.1-1.
Request was from Andrej Shadura <andrewsh@debian.org>
to submit@bugs.debian.org.
(Wed, 05 Sep 2018 13:15:05 GMT) (full text, mbox, link).
No longer marked as fixed in versions 0.33.3.1-1.
Request was from Andrej Shadura <andrewsh@debian.org>
to control@bugs.debian.org.
(Thu, 06 Sep 2018 05:00:03 GMT) (full text, mbox, link).
Reply sent
to Andrej Shadura <andrewsh@debian.org>:
You have taken responsibility.
(Thu, 06 Sep 2018 12:21:15 GMT) (full text, mbox, link).
Notification sent
to Andrej Shadura <andrewsh@debian.org>:
Bug acknowledged by developer.
(Thu, 06 Sep 2018 12:21:16 GMT) (full text, mbox, link).
Message #14 received at 908044-close@bugs.debian.org (full text, mbox, reply):
Source: matrix-synapse
Source-Version: 0.33.3.1-1
We believe that the bug you reported is fixed in the latest version of
matrix-synapse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 908044@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <andrewsh@debian.org> (supplier of updated matrix-synapse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 06 Sep 2018 12:00:03 +0200
Source: matrix-synapse
Binary: matrix-synapse
Architecture: all source
Version: 0.33.3.1-1
Distribution: unstable
Urgency: high
Maintainer: Matrix Packaging Team <pkg-matrix-maintainers@lists.alioth.debian.org>
Changed-By: Andrej Shadura <andrewsh@debian.org>
Closes: 908044
Description:
matrix-synapse - Matrix reference homeserver
Changes:
matrix-synapse (0.33.3.1-1) unstable; urgency=high
.
* New upstream version.
- SECURITY UPDATE (CVE-2018-16515):
Check that signatures on events are valid
Fix origin handling for pushed transactions
- Closes: #908044.
Checksums-Sha1:
94575edabb891efb1266a838865f473930ce373e 2478 matrix-synapse_0.33.3.1-1.dsc
92c2a00df8d9aba1ee80f5279cb90546b74049eb 1015181 matrix-synapse_0.33.3.1.orig.tar.gz
bf515f277e8dd149bded5c2714ebed17f9af26cb 85908 matrix-synapse_0.33.3.1-1.debian.tar.xz
34bba31a590418f58cba4996b4286bf19cac0e5f 557356 matrix-synapse_0.33.3.1-1_all.deb
341a1b4fd0284e803290a37343a2c6019ad9777d 9461 matrix-synapse_0.33.3.1-1_amd64.buildinfo
Checksums-Sha256:
e13cb8f2207fdbc39589c0bc57bf6e3b8976189fde30cdb8382f87963170eede 2478 matrix-synapse_0.33.3.1-1.dsc
779566ffd18eee659f0d533fed4bf782f13f50bdd18efd810057cc3af6f5ad85 1015181 matrix-synapse_0.33.3.1.orig.tar.gz
c21cf9ca75bf010dc7a06871f2bc3e96dd4895e127aa5831f5a7bbe9b5049173 85908 matrix-synapse_0.33.3.1-1.debian.tar.xz
8efde573714ffc8caedf4cc0d22ef70347106fc889452a0b949bdda0918c87e0 557356 matrix-synapse_0.33.3.1-1_all.deb
00866256eb7753567b32dd3f9f39d6c054f2f5d22a165b1ea32a9356cec49953 9461 matrix-synapse_0.33.3.1-1_amd64.buildinfo
Files:
b3fdce63589ce118a63752f24c8614d8 2478 net optional matrix-synapse_0.33.3.1-1.dsc
636c846bd51d1b0e55bc8c820a830db3 1015181 net optional matrix-synapse_0.33.3.1.orig.tar.gz
5978db3330f917beb3e8ee055509cc7b 85908 net optional matrix-synapse_0.33.3.1-1.debian.tar.xz
a5384672bffb8963509341dece62dc07 557356 net optional matrix-synapse_0.33.3.1-1_all.deb
377681835f4106702bca12a3038f7565 9461 net optional matrix-synapse_0.33.3.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAluRF90ACgkQXkCM2RzY
OdLfpwgAkJxDfBzhRrezU7tCAUKehHDiQLa5YshQ66KsYKVTFA1rA4YjVv9DZe4Y
60/g2Y7TySBcQbO4AgRu5wdNbTIbyFzsv1c7itg9fHtwoGJu51RrZJdHYxAtsQiL
HlekPPQb4XOGYYcwn9vAVAfoYCEhSs7bhp0+BrEQvon8b88Tt0Dm63DfxYSIfI3S
XQ6ANkiZcd8wVYkiQTIig+cwNjqr96n1w9sG2LIdkYzVKbZpfvlhFX5/1YQ2EmzB
n+WxVT+fFoR8w4PNtLb4eDMjmvL9BMC3AfSTUS8ydDo5N5gea34uUvmzJB8SIbzQ
lv4chYFzUsPZSLn56+us7fZfbMF+dQ==
=ruXa
-----END PGP SIGNATURE-----
Changed Bug title to 'matrix-synapse: CVE-2018-16515: Failures to correctly validate signatures on transactions and events' from 'matrix-synapse: CVE-2018-16515: Undisclosed security vulnerability'.
Request was from Andrej Shadura <andrewsh@debian.org>
to control@bugs.debian.org.
(Fri, 07 Sep 2018 17:21:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 06 Oct 2018 07:28:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:10:24 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon