Disclosing Synapse security advisories 2023-05-24 — Security — Denis Kasak (dkasak) Today we are retroactively publishing advisories for security bugs in Synapse. From oldest to most recent, they are: GHSA-p9qp-c452-f9r7 (CVE-2022-39374), fixed in Synapse 1.68.0 and affecting all prior versions since Synapse 1.62.0; GHSA-45cj-f97f-ggwv (CVE-2022-39335), fixed in Synapse 1.69.0 and affecting all prior versions; and finally GHSA-f3wc-3vxv-xmvr (CVE-2023-32323), fixed in Synapse 1.74.0 and affecting all prior versions. We strongly advise Synapse operators who are still on earlier Synapse versions to upgrade to the latest version (v1.84.0) or at the very least v1.74.0 (released Dec 2022), to prevent attacks based on these vulnerabilities. Please see the advisories for the full details, including a description of the vulnerability and potential attacks, exactly which deployments are vulnerable, and workarounds and mitigations. Because these bugs are either related to or exploitable over Matrix federation, we have delayed publishing these advisories until now out of caution. This allowed us to ensure that the majority of Synapse homeservers across the public federation have upgraded to a sufficiently patched version, based on the (opt-in) stats reporting to the Matrix.org foundation. If you have any questions or comments about this announcement or any of the advisories, e-mail us at security. Reproducible: Always
https://matrix.org/blog/2023/05/24/disclosing-synapse-security-advisories
Emerg Workaround for F37: $ dnf update matrix-synapse --releasever=38
Properly updating Synapse in F37 requires newer versions of python-twisted and python-setuptools-rust (,and optionally a newer version of py-icu for user search). I am currently figuring out if cherry-picking the fixes is an alternative.
I backported the fix for CVE-2022-39335 to F37. The fixes for CVE-2022-39374[1] and CVE-2023-32323[2] don’t apply cleanly. I will not be able to address those in a timely manner as I am gone the next days. For reference, I have a copr[3] for matrix-synapse that runs on F37. @The maintainers of python-twisted and python-setuptools-rust: Is an update of your packages possible for F37? [1] https://github.com/matrix-org/synapse/pull/14642 [2] https://github.com/matrix-org/synapse/pull/13723 [3] https://copr.fedorainfracloud.org/coprs/v02460/matrix-synapse
An update of python-setuptools-rust is possible but time consuming. I may have to coordinate with other packagers to update its dependencies on F37. Is 1.5.2 (rawhide) recent enough or would you need latest upstream 1.6.0?
@cheimes Updating to python-setuptools-rust version 1.5.2 is recent enough. Although it only makes sense if python-twisted is updated as well. @zebob.m Is it feasible to update python-twisted to 22.10 (from 22.04) in F37?
python-setuptools-rust has been updated to 1.6.0 in all supported versions of Fedora, #2190299.