Bug 1215757 (CVE-2023-41335) - VUL-0: CVE-2023-41335, CVE-2023-42453: matrix-synapse: release 1.93.0 (2023-09-26)
Summary: VUL-0: CVE-2023-41335, CVE-2023-42453: matrix-synapse: release 1.93.0 (2023-0...
Status: RESOLVED FIXED
Alias: CVE-2023-41335
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Oliver Kurz
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/379877/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-27 10:57 UTC by Alexander Bergmann
Modified: 2023-09-28 11:13 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-09-27 10:57:40 UTC 
Synapse 1.93.0 (2023-09-26)

No significant changes since 1.93.0rc1.
Security advisory

The following issues are fixed in 1.93.0 (and RCs).

GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity
https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5

Temporary storage of plaintext passwords during password changes.

GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity
https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x

Improper validation of receipts allows forged read receipts.

See the advisories for more details. If you have any questions, email security@matrix.org.
Comment 1 Alexander Bergmann 2023-09-27 10:58:55 UTC 
Only needed in Factory.
Comment 2 Oliver Kurz 2023-09-28 11:13:12 UTC 
https://build.opensuse.org/request/show/1113708, accepted into Factory already