Source: matrix-sydent Version: 2.5.1-1.1 Severity: important Tags: security upstream Forwarded: https://github.com/matrix-org/sydent/pull/574 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for matrix-sydent. CVE-2023-38686[0]: | Sydent is an identity server for the Matrix communications protocol. | Prior to version 2.5.6, if configured to send emails using TLS, | Sydent does not verify SMTP servers' certificates. This makes | Sydent's emails vulnerable to interception via a man-in-the-middle | (MITM) attack. Attackers with privileged access to the network can | intercept room invitations and address confirmation emails. This is | patched in Sydent 2.5.6. When patching, make sure that Sydent trusts | the certificate of the server it is connecting to. This should | happen automatically when using properly issued certificates. Those | who use self-signed certificates should make sure to copy their | Certification Authority certificate, or their self signed | certificate if using only one, to the trust store of your operating | system. As a workaround, one can ensure Sydent's emails fail to send | by setting the configured SMTP server to a loopback or non-routable | address under one's control which does not have a listening SMTP | server. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-38686 https://www.cve.org/CVERecord?id=CVE-2023-38686 [1] https://github.com/matrix-org/sydent/pull/574 [2] https://github.com/matrix-org/sydent/commit/1cd748307c6b168b66154e6c4db715d4b9551261 [3] https://github.com/matrix-org/sydent/security/advisories/GHSA-p6hw-wm59-3g5g Regards, Salvatore