Bug 1626111 (CVE-2018-16515) - CVE-2018-16515 matrix-synapse: pre-disclosure of critical vulnerability
Summary: CVE-2018-16515 matrix-synapse: pre-disclosure of critical vulnerability
Status: NEW
Alias: CVE-2018-16515
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20180905,repor...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-06 15:17 UTC by Pedro Sampaio
Modified: 2019-06-08 23:35 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2018-09-06 15:17:24 UTC
As reported:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Pre-disclosure: Upcoming critical security fix for Synapse

Hi all,

During the ongoing work to finalise a stable release of Matrix’s Server-Server federation API, we’ve been doing a full audit of Synapse’s implementation and have identified a serious vulnerability which we are going to release a security update to address (Synapse 0.33.3.1) on Thursday Sept 6th at 12:00 UTC.

We are coordinating with package maintainers to ensure that patched versions of packages will be available at that time - meanwhile, if you run your own Synapse, please be prepared to upgrade as soon as the patched versions are released.  All previous versions of Synapse are affected, so everyone will want to upgrade.

Thank you for your time, patience and understanding while we resolve the issue,
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEumuwyPtYLL2OMhYdOtoG7cdT0R4FAluPtyUACgkQOtoG7cdT
0R4EcxAAgzNXKgl4/EhfAJylryo141HKmu7UgK9I7fF6fdkZL9W9UvLeeJCsSlJp
RF3QQM6EHHkWXLRiXYXVUxc45sg2iYUJz+inIb1eH4du9E68j/o1qk1n3/Z+OaeI
XCvMnJqgNwpsiKJCnvOsnumDyOODY3Fg1zWauG/YDnSJmPISgBM9d6OY8vwcAm54
M/qV+xiJwVse0jp7Ne5RX+aZmUibUJpgp4pAvJpDYRI7AX612hizlTzFAwljRyWM
7V28W9E6jbsndI1F+3Ok+KK7+AGFmeBGXKY4uxbkoXq/TPHVFjWimgS5CrZ9V8ry
Kyeo5i5UbP7V7d53h7U8/KGIxzNsNRKSgU7FXZthJCZQQkAnhPDf3nhUI0YJTvNv
r3n/ZnRz/1gO7ceTY87ea31kxbnR3+d6lrYwHy/1g6SkyMJfvFYehQkWXHXcr6tN
OXS+eK2o8cdaQduhGTKAcWVmcwbbMnj6eHCMrnRsdtPzboLd8FHXUphsEdBgs2Tv
7Q0JKoXZM3Rbn2ksFPGOTwm+RkcTUWFJ8iVZQ9lIC0uMRgYyDHk0gFvDCACirBB7
+NGbPALFuBmCKdKiKOC74s+Z0WeOISQKCoSD1H/YprDrXOgamLSGMrkLDZ9FB0M6
XSAH3aRmdquCOWsw91JqeMeDi2FOBfiLUzkhzTVDVrPGbgS9Qqs=
=KvsN
-----END PGP SIGNATURE-----

References:

https://matrix.org/blog/2018/09/05/pre-disclosure-upcoming-critical-security-fix-for-synapse/

Comment 1 Andrej Shadura 2018-09-09 09:38:00 UTC
More info on the issue: https://security-tracker.debian.org/tracker/CVE-2018-16515


Note You need to log in before you can comment on or make changes to this bug.