As reported: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Pre-disclosure: Upcoming critical security fix for Synapse Hi all, During the ongoing work to finalise a stable release of Matrix’s Server-Server federation API, we’ve been doing a full audit of Synapse’s implementation and have identified a serious vulnerability which we are going to release a security update to address (Synapse 0.33.3.1) on Thursday Sept 6th at 12:00 UTC. We are coordinating with package maintainers to ensure that patched versions of packages will be available at that time - meanwhile, if you run your own Synapse, please be prepared to upgrade as soon as the patched versions are released. All previous versions of Synapse are affected, so everyone will want to upgrade. Thank you for your time, patience and understanding while we resolve the issue, -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEumuwyPtYLL2OMhYdOtoG7cdT0R4FAluPtyUACgkQOtoG7cdT 0R4EcxAAgzNXKgl4/EhfAJylryo141HKmu7UgK9I7fF6fdkZL9W9UvLeeJCsSlJp RF3QQM6EHHkWXLRiXYXVUxc45sg2iYUJz+inIb1eH4du9E68j/o1qk1n3/Z+OaeI XCvMnJqgNwpsiKJCnvOsnumDyOODY3Fg1zWauG/YDnSJmPISgBM9d6OY8vwcAm54 M/qV+xiJwVse0jp7Ne5RX+aZmUibUJpgp4pAvJpDYRI7AX612hizlTzFAwljRyWM 7V28W9E6jbsndI1F+3Ok+KK7+AGFmeBGXKY4uxbkoXq/TPHVFjWimgS5CrZ9V8ry Kyeo5i5UbP7V7d53h7U8/KGIxzNsNRKSgU7FXZthJCZQQkAnhPDf3nhUI0YJTvNv r3n/ZnRz/1gO7ceTY87ea31kxbnR3+d6lrYwHy/1g6SkyMJfvFYehQkWXHXcr6tN OXS+eK2o8cdaQduhGTKAcWVmcwbbMnj6eHCMrnRsdtPzboLd8FHXUphsEdBgs2Tv 7Q0JKoXZM3Rbn2ksFPGOTwm+RkcTUWFJ8iVZQ9lIC0uMRgYyDHk0gFvDCACirBB7 +NGbPALFuBmCKdKiKOC74s+Z0WeOISQKCoSD1H/YprDrXOgamLSGMrkLDZ9FB0M6 XSAH3aRmdquCOWsw91JqeMeDi2FOBfiLUzkhzTVDVrPGbgS9Qqs= =KvsN -----END PGP SIGNATURE----- References: https://matrix.org/blog/2018/09/05/pre-disclosure-upcoming-critical-security-fix-for-synapse/
More info on the issue: https://security-tracker.debian.org/tracker/CVE-2018-16515
is it fixed.. can this bug be closed now?(2years later!)
(In reply to customercare from comment #2) > is it fixed.. can this bug be closed now?(2years later!) yep, closed.