Date: Tue, 23 Nov 2021 16:53:40 GMT From: Ashish SHUKLA <ashish@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: c6782b5ef530 - main - security/vuxml: Document vulnerability in Matrix Synapse Message-ID: <202111231653.1ANGrewN027567@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by ashish: URL: https://cgit.FreeBSD.org/ports/commit/?id=c6782b5ef530f87268d42d171eef424244fb2822 commit c6782b5ef530f87268d42d171eef424244fb2822 Author: Evilham <contact@evilham.com> AuthorDate: 2021-11-23 16:45:05 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2021-11-23 16:53:00 +0000 security/vuxml: Document vulnerability in Matrix Synapse PR: 259994 Reported by: Sascha Biberhofer <ports at skyforge dot at> Security: 27aa2253-4c72-11ec-b6b9-e86a64caca56 Security: CVE-2021-41281 --- security/vuxml/vuln-2021.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 909c8fe96f1e..74463ed364ca 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,45 @@ + <vuln vid="27aa2253-4c72-11ec-b6b9-e86a64caca56"> + <topic>py-matrix-synapse -- several vulnerabilities</topic> + <affects> + <package> + <name>py36-matrix-synapse</name> + <name>py37-matrix-synapse</name> + <name>py38-matrix-synapse</name> + <name>py39-matrix-synapse</name> + <name>py310-matrix-synapse</name> + <range><lt>1.47.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Matrix developers report:</p> + <blockquote cite="https://matrix.org/blog/2021/11/23/synapse-1-47-1-released">; + <p>This release patches one high severity issue affecting + Synapse installations 1.47.0 and earlier using the media repository. + An attacker could cause these Synapses to download a remote file + and store it in a directory outside the media repository.</p> + <p>Note that:</p> + <ul> + <li>This only affects homeservers using Synapse's built-in media + repository, as opposed to synapse-s3-storage-provider or + matrix-media-repo.</li> + <li>Attackers cannot control the exact name or destination of the + stored file.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <freebsdpr>ports/259994</freebsdpr> + <cvename>CVE-2021-41281</cvename> + <url>https://matrix.org/blog/2021/11/23/synapse-1-47-1-released</url>; + </references> + <dates> + <discovery>2021-11-18</discovery> + <entry>2021-11-23</entry> + </dates> + </vuln> + <vuln vid="0bf816f6-3cfe-11ec-86cd-dca632b19f10"> <topic>advancecomp -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202111231653.1ANGrewN027567>