Source: matrix-synapse Version: 1.136.0-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/element-hq/synapse/pull/17097 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for matrix-synapse. CVE-2025-61672[0]: | Synapse is an open source Matrix homeserver implementation. Lack of | validation for device keys in Synapse before 1.138.3 and in Synapse | 1.139.0 allow an attacker registered on the victim homeserver to | degrade federation functionality, unpredictably breaking outbound | federation to other homeservers. The issue is patched in Synapse | 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though | 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently | introduced an unrelated regression. For this reason, the maintainers | of Synapse recommend skipping these releases and upgrading straight | to 1.138.4 and 1.139.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-61672 https://www.cve.org/CVERecord?id=CVE-2025-61672 [1] https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr [2] https://github.com/element-hq/synapse/pull/17097 [3] https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1 [4] https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740 Regards, Salvatore
