Debian Bug report logs -
#1037207
matrix-synapse: CVE-2023-32682 CVE-2023-32683
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Matrix Packaging Team <pkg-matrix-maintainers@lists.alioth.debian.org>:
Bug#1037207; Package src:matrix-synapse.
(Wed, 07 Jun 2023 18:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Matrix Packaging Team <pkg-matrix-maintainers@lists.alioth.debian.org>.
(Wed, 07 Jun 2023 18:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: matrix-synapse
Version: 1.78.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for matrix-synapse.
CVE-2023-32682[0]:
| Synapse is a Matrix protocol homeserver written in Python with the
| Twisted framework. In affected versions it may be possible for a
| deactivated user to login when using uncommon configurations. This
| only applies if any of the following are true: 1. JSON Web Tokens
| are enabled for login via the `jwt_config.enabled` configuration
| setting. 2. The local password database is enabled via the
| `password_config.enabled` and `password_config.localdb_enabled`
| configuration settings *and* a user's password is updated via an
| admin API after a user is deactivated. Note that the local password
| database is enabled by default, but it is uncommon to set a user's
| password after they've been deactivated. Installations that are
| configured to only allow login via Single Sign-On (SSO) via CAS,
| SAML or OpenID Connect (OIDC); or via an external password provider
| (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure
| that deactivated users do not have a password set. This issue has
| been addressed in version 1.85.0. Users are advised to upgrade.
CVE-2023-32683[1]:
| Synapse is a Matrix protocol homeserver written in Python with the
| Twisted framework. A discovered oEmbed or image URL can bypass the
| `url_preview_url_blacklist` setting potentially allowing server side
| request forgery or bypassing network policies. Impact is limited to
| IP addresses allowed by the `url_preview_ip_range_blacklist` setting
| (by default this only allows public IPs) and by the limited
| information returned to the client: 1. For discovered oEmbed URLs,
| any non-JSON response or a JSON response which includes non-oEmbed
| information is discarded. 2. For discovered image URLs, any non-
| image response is discarded. Systems which have URL preview disabled
| (via the `url_preview_enabled` setting) or have not configured a
| `url_preview_url_blacklist` are not affected. This issue has been
| addressed in version 1.85.0. Users are advised to upgrade. User
| unable to upgrade may also disable URL previews.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-32682
https://www.cve.org/CVERecord?id=CVE-2023-32682
[1] https://security-tracker.debian.org/tracker/CVE-2023-32683
https://www.cve.org/CVERecord?id=CVE-2023-32683
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jun 8 18:32:28 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon