Bug 2026127
| Summary: | CVE-2021-41281: remote overwrite vulnerability in <= 1.47.0 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | customercare |
| Component: | matrix-synapse | Assignee: | Dan Callaghan <djc> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | djc, fedora, mrehak, V02460 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | matrix-synapse-1.48.0-1.fc35 matrix-synapse-1.48.0-1.fc34 | Doc Type: | --- |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-12-09 01:11:41 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2027229 | ||
FEDORA-2021-39a23c1aa0 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-39a23c1aa0 FEDORA-2021-4878d3d55b has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-4878d3d55b FEDORA-2021-4878d3d55b has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-4878d3d55b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-4878d3d55b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-39a23c1aa0 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-39a23c1aa0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-39a23c1aa0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-9758549fce has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-9758549fce` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-9758549fce See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-2f9dcdbace has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-2f9dcdbace` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-2f9dcdbace See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-9758549fce has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-2f9dcdbace has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. *** Bug 2027230 has been marked as a duplicate of this bug. *** |
Today we are releasing Synapse 1.47.1, a security update based on last week's release of Synapse 1.47.0. This release patches one high severity issue affecting Synapse installations 1.47.0 and earlier using the media repository. An attacker could cause these Synapses to download a remote file and store it in a directory outside the media repository. Note that: This only affects homeservers using Synapse's built-in media repository, as opposed to synapse-s3-storage-provider or matrix-media-repo. Attackers cannot control the exact name or destination of the stored file. To quote from the advisory: GHSA-3hfw-x7gx-437c / CVE-2021-41281: Path traversal when downloading remote media. Impact Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory, potentially outside the media store directory. The last two directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers configured with a federation whitelist are also unaffected. The advisory has full details, including workarounds. This issue was discovered and fixed by our internal security team. Please update at your earliest convenience.