[Pkg-matrix-maintainers] Bug#1053283: matrix-synapse: CVE-2023-42453 CVE-2023-41335
Salvatore Bonaccorso
carnil at debian.org
Sat Sep 30 19:52:27 BST 2023
Source: matrix-synapse
Version: 1.92.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for matrix-synapse.
CVE-2023-42453[0]:
| Synapse is an open-source Matrix homeserver written and maintained
| by the Matrix.org Foundation. Users were able to forge read receipts
| for any event (if they knew the room ID and event ID). Note that the
| users were not able to view the events, but simply mark it as read.
| This could be confusing as clients will show the event as read by
| the user, even if they are not in the room. This issue has been
| patched in version 1.93.0. Users are advised to upgrade. There are
| no known workarounds for this issue.
CVE-2023-41335[1]:
| Synapse is an open-source Matrix homeserver written and maintained
| by the Matrix.org Foundation. When users update their passwords, the
| new credentials may be briefly held in the server database. While
| this doesn't grant the server any added capabilities—it already
| learns the users' passwords as part of the authentication process—it
| does disrupt the expectation that passwords won't be stored in the
| database. As a result, these passwords could inadvertently be
| captured in database backups for a longer duration. These
| temporarily stored passwords are automatically erased after a
| 48-hour window. This issue has been addressed in version 1.93.0.
| Users are advised to upgrade. There are no known workarounds for
| this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-42453
https://www.cve.org/CVERecord?id=CVE-2023-42453
https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x
[1] https://security-tracker.debian.org/tracker/CVE-2023-41335
https://www.cve.org/CVERecord?id=CVE-2023-41335
https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5
Regards,
Salvatore
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
More information about the Pkg-matrix-maintainers
mailing list