Skip to content
This repository has been archived by the owner on Mar 26, 2023. It is now read-only.

Bump matrix-synapse from 1.61.0 to 1.61.1 in /matrix #251

Merged
merged 1 commit into from
Jun 29, 2022
Merged

Bump matrix-synapse from 1.61.0 to 1.61.1 in /matrix #251

merged 1 commit into from
Jun 29, 2022

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jun 29, 2022

Bumps matrix-synapse from 1.61.0 to 1.61.1.

Release notes

Sourced from matrix-synapse's releases.

v1.61.1

Synapse 1.61.1 (2022-06-28)

This patch release fixes a security issue regarding URL previews, affecting all prior versions of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild.

Server administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below.

The following issue is fixed in 1.61.1.

  • GHSA-22p3-qrh9-cx32 / CVE-2022-31052

    Synapse instances with the url_preview_enabled homeserver config option set to true are affected. URL previews of some web pages can lead to unbounded recursion, causing the request to either fail, or in some cases crash the running Synapse process.

    Requesting URL previews requires authentication. Nevertheless, it is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for.

    Homeservers with the url_preview_enabled configuration option set to false (the default) are unaffected. Instances with the enable_media_repo configuration option set to false are also unaffected, as this also disables URL preview functionality.

    Fixed by fa1308061802ac7b7d20e954ba7372c5ac292333.

Changelog

Sourced from matrix-synapse's changelog.

Synapse 1.61.1 (2022-06-28)

This patch release fixes a security issue regarding URL previews, affecting all prior versions of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild.

Server administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below.

Security advisory

The following issue is fixed in 1.61.1.

  • GHSA-22p3-qrh9-cx32 / CVE-2022-31052

    Synapse instances with the url_preview_enabled homeserver config option set to true are affected. URL previews of some web pages can lead to unbounded recursion, causing the request to either fail, or in some cases crash the running Synapse process.

    Requesting URL previews requires authentication. Nevertheless, it is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for.

    Homeservers with the url_preview_enabled configuration option set to false (the default) are unaffected. Instances with the enable_media_repo configuration option set to false are also unaffected, as this also disables URL preview functionality.

    Fixed by fa1308061802ac7b7d20e954ba7372c5ac292333.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump matrix-synapse from 1.61.0 to 1.61.1 in /matrix
f64aaea 
Bumps [matrix-synapse](https://github.com/matrix-org/synapse) from 1.61.0 to 1.61.1.
- [Release notes](https://github.com/matrix-org/synapse/releases)
- [Changelog](https://github.com/matrix-org/synapse/blob/develop/CHANGES.md)
- [Commits](matrix-org/synapse@v1.61.0...v1.61.1)

---
updated-dependencies:
- dependency-name: matrix-synapse
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Upgrade or downgrade of project dependencies. python Pull requests that update Python code labels Jun 29, 2022
@frenck frenck merged commit 655279b into main Jun 29, 2022
@frenck frenck deleted the dependabot/pip/matrix/matrix-synapse-1.61.1 branch June 29, 2022 06:50
@github-actions github-actions bot locked and limited conversation to collaborators Jun 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Upgrade or downgrade of project dependencies. python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@frenck