> > but Debian does not include matrix-synapse in Debian Stable releases. > > [citation needed]
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036954, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036806#30 You're right that it's not *policy*. But, for now at least, Debian are not including matrix-synapse in their stable releases. > And the bug originally reported here was against the version of the package in bionic, a year and a half after bionic released. That security vulnerabilities were discovered in a package over the life cycle of a stable release is also not a reason for us to remove it. Is it not? Ubuntu claims to support its LTS releases for five years; I'd argue pretty strongly that the expectation is that security vulnerabilities, at least, are patched for those five years. If you're unable to do that (and I appreciate that it's a lot of work), better not to ship the package in the first place. Ubuntu users are much better served by the upstream packages. To be clear, this problem was originally reported against Bionic, but it's true of every Ubuntu release before and since. CVE-2024-31208 is a High severity CVE which affects all current Ubuntu releases. CVE-2023-45129 affects the version of matrix-synapse in Mantic and Noble. The version in Jammy is, frankly, prehistoric. > But https://ubuntu.com/security/cves?q=&package=matrix- synapse&priority=&version=&status= also shows none of these CVEs are scored above 'medium' priority. True, but doesn't that rather reflect lack of triage, than any actual severity? ** Bug watch added: Debian Bug tracker #1036954 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036954 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-45129 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-31208 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1848709 Title: implementation is unusably old and contains significant security problems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/matrix-synapse/+bug/1848709/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
