[Pkg-matrix-maintainers] Bug#1043162: matrix-sydent: CVE-2023-38686

[Salvatore Bonaccorso]

Source: matrix-sydent
Version: 2.5.1-1.1
Severity: important
Tags: security upstream
Forwarded: https://github.com/matrix-org/sydent/pull/574
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for matrix-sydent.

CVE-2023-38686[0]:
| Sydent is an identity server for the Matrix communications protocol.
| Prior to version 2.5.6, if configured to send emails using TLS,
| Sydent does not verify SMTP servers' certificates. This makes
| Sydent's emails vulnerable to interception via a man-in-the-middle
| (MITM) attack. Attackers with privileged access to the network can
| intercept room invitations and address confirmation emails. This is
| patched in Sydent 2.5.6. When patching, make sure that Sydent trusts
| the certificate of the server it is connecting to. This should
| happen automatically when using properly issued certificates. Those
| who use self-signed certificates should make sure to copy their
| Certification Authority certificate, or their self signed
| certificate if using only one, to the trust store of your operating
| system. As a workaround, one can ensure Sydent's emails fail to send
| by setting the configured SMTP server to a loopback or non-routable
| address under one's control which does not have a listening SMTP
| server.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-38686
    https://www.cve.org/CVERecord?id=CVE-2023-38686
[1] https://github.com/matrix-org/sydent/pull/574
[2] https://github.com/matrix-org/sydent/commit/1cd748307c6b168b66154e6c4db715d4b9551261
[3] https://github.com/matrix-org/sydent/security/advisories/GHSA-p6hw-wm59-3g5g

Regards,
Salvatore