Your message dated Sat, 11 May 2019 18:32:46 +0100
with message-id <[email protected]>
and subject line Re: Bug#928608: unblock: matrix-synapse/0.99.2-5
has caused the Debian Bug report #928608,
regarding unblock: matrix-synapse/0.99.2-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
928608: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928608
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Please unblock package matrix-synapse.
This upload backports two security updates from 0.99.3.
unblock matrix-synapse/0.99.2-5
- --
Cheers,
Andrej
-----BEGIN PGP SIGNATURE-----
iQJTBAEBCAA9FiEE47V74F4CWMP6ghzXtke0/0DsYwMFAlzRoQ8fHGFuZHJldy5z
aGFkdXJhQGNvbGxhYm9yYS5jby51awAKCRC2R7T/QOxjAyrQEACo2di2PSfR7NbF
evPJxSV1iD83rZZf19ACH39XYR/rSAGOM2ypeEy6jpDSv4sRwYkB7ag85ns9OoTp
41F29yXL8ZdPVvlM7ThPvVZj3Fi9fp1zu8VfVxqZR0nglvA/6X+oiaNz5Xb3Sd8m
kh6Gld68k+6r4JDgR5IU7tuWabfMOU+lKPa6jMRQU25T6TCyc0qkNJiMgGTYba33
b9PWmTrhFL7+5Xt+u9YaaAPtC7zDU/8CkuPMEiZcsvdCwK7P2bcpc/il+TfM2f8n
s4OpFGT/dZC5TBW9rQnvXIinei9l33lf3yG2MWsibEIxwaJ8yySSb8jjr29tXNK6
wJqa+itgJLLI7IcYaFe/ndKBqhNN7XnP6QyWdFAsUdC9Ha4AbLRWvA9VEPFMT0tY
1xeeGn2UmNcoOFlwZ7Kr24yhk1xjK8twbOcubeyIXD7HkQ5FTbTkYSL0DP3vZl14
ZsnaYbElRsplpCSnpAqclAYEkpfL3CM4rrdALgk/3mxEgNcKUAzu6BwPVNfYcmsz
irUfTHgbJJug7HgGf8R8Q6qa0JcL8DyqUvtOZodQo//0BuI2dEuzc898WiaxyjVr
rUWzT7UmyB51ijDRPKc36hGIZwCXdnLmX2HCF9O2i3fGnXGkV/PkMIu4F7bN/3tW
lv0lsvm4A9rYJ7HuTscz1hKfOvNSig==
=23ET
-----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog
index 0dfdb8d..a786521 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+matrix-synapse (0.99.2-5) unstable; urgency=high
+
+ * Security updates backported from 0.99.3:
+ - Use SystemRandom for token generation
+ - Blacklist 0.0.0.0 and :: by default for URL previews
+
+ -- Andrej Shadura <[email protected]> Fri, 03 May 2019 22:26:41 +0200
+
matrix-synapse (0.99.2-4) unstable; urgency=medium
[ Antoine Beaupré ]
diff --git
a/debian/patches/blacklist-localhost-by-default-for-URL-previews.patch
b/debian/patches/blacklist-localhost-by-default-for-URL-previews.patch
new file mode 100644
index 0000000..21853e9
--- /dev/null
+++ b/debian/patches/blacklist-localhost-by-default-for-URL-previews.patch
@@ -0,0 +1,85 @@
+From 1a7104fde3abc5392b90ca084efa896d46e24f91 Mon Sep 17 00:00:00 2001
+From: Richard van der Hoff <[email protected]>
+Date: Fri, 3 May 2019 13:46:50 +0100
+Subject: [PATCH] Blacklist 0.0.0.0 and :: by default for URL previews
+
+---
+ changelog.d/5134.bugfix | 1 +
+ docs/sample_config.yaml | 14 +++++++++-----
+ synapse/config/repository.py | 28 ++++++++++++++++++----------
+ 3 files changed, 28 insertions(+), 15 deletions(-)
+ create mode 100644 changelog.d/5134.bugfix
+
+diff --git a/changelog.d/5134.bugfix b/changelog.d/5134.bugfix
+new file mode 100644
+index 0000000000..684d48c53a
+--- /dev/null
++++ b/changelog.d/5134.bugfix
+@@ -0,0 +1 @@
++Blacklist 0.0.0.0 and :: by default for URL previews. Thanks to @opnsec for
identifying and responsibly disclosing this issue too!
+diff --git a/synapse/config/repository.py b/synapse/config/repository.py
+index 3f34ad9b2a..d155d69d8a 100644
+--- a/synapse/config/repository.py
++++ b/synapse/config/repository.py
+@@ -154,17 +154,21 @@ def read_config(self, config):
+ except ImportError:
+ raise ConfigError(MISSING_NETADDR)
+
+- if "url_preview_ip_range_blacklist" in config:
+- self.url_preview_ip_range_blacklist = IPSet(
+- config["url_preview_ip_range_blacklist"]
+- )
+- else:
++ if "url_preview_ip_range_blacklist" not in config:
+ raise ConfigError(
+ "For security, you must specify an explicit target IP
address "
+ "blacklist in url_preview_ip_range_blacklist for url
previewing "
+ "to work"
+ )
+
++ self.url_preview_ip_range_blacklist = IPSet(
++ config["url_preview_ip_range_blacklist"]
++ )
++
++ # we always blacklist '0.0.0.0' and '::', which are supposed to be
++ # unroutable addresses.
++ self.url_preview_ip_range_blacklist.update(['0.0.0.0', '::'])
++
+ self.url_preview_ip_range_whitelist = IPSet(
+ config.get("url_preview_ip_range_whitelist", ())
+ )
+@@ -235,11 +239,11 @@ def default_config(self, data_dir_path, **kwargs):
+ height: 600
+ method: scale
+
+- # Is the preview URL API enabled? If enabled, you *must* specify
+- # an explicit url_preview_ip_range_blacklist of IPs that the spider is
+- # denied from accessing.
++ # Is the preview URL API enabled?
++ # 'False' by default: uncomment the following to enable it (and
specify a
++ # url_preview_ip_range_blacklist blacklist).
+ #
+- url_preview_enabled: False
++ #url_preview_enabled: True
+
+ # List of IP address CIDR ranges that the URL preview spider is denied
+ # from accessing. There are no defaults: you must explicitly
+@@ -249,6 +253,9 @@ def default_config(self, data_dir_path, **kwargs):
+ # synapse to issue arbitrary GET requests to your internal services,
+ # causing serious security issues.
+ #
++ # This must be specified if url_preview_enabled. It is recommended
that you
++ # uncomment the following list as a starting point.
++ #
+ #url_preview_ip_range_blacklist:
+ # - '127.0.0.0/8'
+ # - '10.0.0.0/8'
+@@ -259,7 +266,7 @@ def default_config(self, data_dir_path, **kwargs):
+ # - '::1/128'
+ # - 'fe80::/64'
+ # - 'fc00::/7'
+- #
++
+ # List of IP address CIDR ranges that the URL preview spider is
allowed
+ # to access even if they are specified in
url_preview_ip_range_blacklist.
+ # This is useful for specifying exceptions to wide-ranging blacklisted
diff --git a/debian/patches/series b/debian/patches/series
index dbc914f..b216485 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@
0006-Avoid-pip-install.patch
fix-deps.patch
config-add-signing_key_path.patch
+blacklist-localhost-by-default-for-URL-previews.patch
+use-SystemRandom-for-token-generation.patch
diff --git a/debian/patches/use-SystemRandom-for-token-generation.patch
b/debian/patches/use-SystemRandom-for-token-generation.patch
new file mode 100644
index 0000000..cfe8f8d
--- /dev/null
+++ b/debian/patches/use-SystemRandom-for-token-generation.patch
@@ -0,0 +1,44 @@
+From 247dc1bd0bd9ee2b9525495c0dbd819baf10ec1f Mon Sep 17 00:00:00 2001
+From: Richard van der Hoff <[email protected]>
+Date: Fri, 3 May 2019 12:38:03 +0100
+Subject: [PATCH] Use SystemRandom for token generation
+
+---
+ changelog.d/5133.bugfix | 1 +
+ synapse/util/stringutils.py | 9 +++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+ create mode 100644 changelog.d/5133.bugfix
+
+diff --git a/changelog.d/5133.bugfix b/changelog.d/5133.bugfix
+new file mode 100644
+index 0000000000..12a32a906b
+--- /dev/null
++++ b/changelog.d/5133.bugfix
+@@ -0,0 +1 @@
++Switch to using a cryptographically-secure random number generator for token
strings, ensuring they cannot be predicted by an attacker. Thanks to @opnsec
for for identifying and responsibly disclosing this issue!
+diff --git a/synapse/util/stringutils.py b/synapse/util/stringutils.py
+index fdcb375f95..69dffd8244 100644
+--- a/synapse/util/stringutils.py
++++ b/synapse/util/stringutils.py
+@@ -24,14 +24,19 @@
+ string.digits + string.ascii_letters + ".,;:^&*-_+=#~@"
+ )
+
++# random_string and random_string_with_symbols are used for a range of things,
++# some cryptographically important, some less so. We use SystemRandom to make
sure
++# we get cryptographically-secure randoms.
++rand = random.SystemRandom()
++
+
+ def random_string(length):
+- return ''.join(random.choice(string.ascii_letters) for _ in range(length))
++ return ''.join(rand.choice(string.ascii_letters) for _ in range(length))
+
+
+ def random_string_with_symbols(length):
+ return ''.join(
+- random.choice(_string_with_symbols) for _ in range(length)
++ rand.choice(_string_with_symbols) for _ in range(length)
+ )
+
+
--- End Message ---
--- Begin Message ---
On Tue, May 07, 2019 at 05:15:28PM +0200, Andrej Shadura wrote:
> Please unblock package matrix-synapse.
>
> This upload backports two security updates from 0.99.3.
Unblocked; thanks.
--
Jonathan Wiltshire [email protected]
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
--- End Message ---
