Bug 1107602 (CVE-2018-16515)

Summary: VUL-0: CVE-2018-16515: matrix-synapse: security fixes in Synapse 0.33.3.1 (2018-09-06)
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Oliver Kurz <okurz>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/213855/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2018-09-07 06:53:02 UTC
rh#1626111

As reported:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Pre-disclosure: Upcoming critical security fix for Synapse

Hi all,

During the ongoing work to finalise a stable release of Matrix’s Server-Server federation API, we’ve been doing a full audit of Synapse’s implementation and have identified a serious vulnerability which we are going to release a security update to address (Synapse 0.33.3.1) on Thursday Sept 6th at 12:00 UTC.

We are coordinating with package maintainers to ensure that patched versions of packages will be available at that time - meanwhile, if you run your own Synapse, please be prepared to upgrade as soon as the patched versions are released.  All previous versions of Synapse are affected, so everyone will want to upgrade.

Thank you for your time, patience and understanding while we resolve the issue,
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEumuwyPtYLL2OMhYdOtoG7cdT0R4FAluPtyUACgkQOtoG7cdT
0R4EcxAAgzNXKgl4/EhfAJylryo141HKmu7UgK9I7fF6fdkZL9W9UvLeeJCsSlJp
RF3QQM6EHHkWXLRiXYXVUxc45sg2iYUJz+inIb1eH4du9E68j/o1qk1n3/Z+OaeI
XCvMnJqgNwpsiKJCnvOsnumDyOODY3Fg1zWauG/YDnSJmPISgBM9d6OY8vwcAm54
M/qV+xiJwVse0jp7Ne5RX+aZmUibUJpgp4pAvJpDYRI7AX612hizlTzFAwljRyWM
7V28W9E6jbsndI1F+3Ok+KK7+AGFmeBGXKY4uxbkoXq/TPHVFjWimgS5CrZ9V8ry
Kyeo5i5UbP7V7d53h7U8/KGIxzNsNRKSgU7FXZthJCZQQkAnhPDf3nhUI0YJTvNv
r3n/ZnRz/1gO7ceTY87ea31kxbnR3+d6lrYwHy/1g6SkyMJfvFYehQkWXHXcr6tN
OXS+eK2o8cdaQduhGTKAcWVmcwbbMnj6eHCMrnRsdtPzboLd8FHXUphsEdBgs2Tv
7Q0JKoXZM3Rbn2ksFPGOTwm+RkcTUWFJ8iVZQ9lIC0uMRgYyDHk0gFvDCACirBB7
+NGbPALFuBmCKdKiKOC74s+Z0WeOISQKCoSD1H/YprDrXOgamLSGMrkLDZ9FB0M6
XSAH3aRmdquCOWsw91JqeMeDi2FOBfiLUzkhzTVDVrPGbgS9Qqs=
=KvsN
-----END PGP SIGNATURE-----

Upstream bug:
https://github.com/matrix-org/synapse/issues/3796

Upstream fix:
https://github.com/matrix-org/synapse/commit/d64b24dfe6e792bb3031888f886ee871e4f41064


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1626111
https://matrix.org/blog/2018/09/05/pre-disclosure-upcoming-critical-security-fix-for-synapse/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16515
Comment 1 Oliver Kurz 2018-09-10 12:21:57 UTC
https://build.opensuse.org/request/show/634732