Source: matrix-synapse Version: 1.78.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for matrix-synapse. CVE-2023-32682[0]: | Synapse is a Matrix protocol homeserver written in Python with the | Twisted framework. In affected versions it may be possible for a | deactivated user to login when using uncommon configurations. This | only applies if any of the following are true: 1. JSON Web Tokens | are enabled for login via the `jwt_config.enabled` configuration | setting. 2. The local password database is enabled via the | `password_config.enabled` and `password_config.localdb_enabled` | configuration settings *and* a user's password is updated via an | admin API after a user is deactivated. Note that the local password | database is enabled by default, but it is uncommon to set a user's | password after they've been deactivated. Installations that are | configured to only allow login via Single Sign-On (SSO) via CAS, | SAML or OpenID Connect (OIDC); or via an external password provider | (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure | that deactivated users do not have a password set. This issue has | been addressed in version 1.85.0. Users are advised to upgrade. CVE-2023-32683[1]: | Synapse is a Matrix protocol homeserver written in Python with the | Twisted framework. A discovered oEmbed or image URL can bypass the | `url_preview_url_blacklist` setting potentially allowing server side | request forgery or bypassing network policies. Impact is limited to | IP addresses allowed by the `url_preview_ip_range_blacklist` setting | (by default this only allows public IPs) and by the limited | information returned to the client: 1. For discovered oEmbed URLs, | any non-JSON response or a JSON response which includes non-oEmbed | information is discarded. 2. For discovered image URLs, any non- | image response is discarded. Systems which have URL preview disabled | (via the `url_preview_enabled` setting) or have not configured a | `url_preview_url_blacklist` are not affected. This issue has been | addressed in version 1.85.0. Users are advised to upgrade. User | unable to upgrade may also disable URL previews. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-32682 https://www.cve.org/CVERecord?id=CVE-2023-32682 [1] https://security-tracker.debian.org/tracker/CVE-2023-32683 https://www.cve.org/CVERecord?id=CVE-2023-32683 Regards, Salvatore