[Pkg-matrix-maintainers] Bug#901549: matrix-synapse: unauthorised users can hijack rooms when there is no m.room.power_levels event in force

Andrej Shadura andrewsh at debian.org
Thu Jun 14 17:47:04 BST 2018


Source: matrix-synapse
Version: 0.31.1+dfsg-1
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/matrix-org/synapse/pull/3397

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- From https://matrix.org/blog/2018/06/14/security-update-synapse-0-31-2/:

> …we are releasing a security update of Synapse (0.31.2) today which
> changes the rules used to authenticate power_level events, such that
> we fail-safe rather than fail-deadly if the existing auth mechanisms
> fail. In practice this means changing the default power level required
> to set state to be 50 rather than 0 if there is no power_levels event
> present, thus meaning that only the room creator can set the initial
> power_levels event.

See also https://github.com/matrix-org/matrix-doc/issues/1304
(Proposal to simplify the auth rules of m.room.power_level events.)

-----BEGIN PGP SIGNATURE-----

iQFIBAEBCAAyFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAlsinAYUHGFuZHJld3No
QGRlYmlhbi5vcmcACgkQXkCM2RzYOdKFbQf8CmUFQ7Cnf1gq15BzZ7DW5wdHFSF2
mtCHGSGQQksyjuSw+Lz3Unqil3YRI9Z8hvPM/oCadFH19JxSBPRhW2a90WjZ67V4
8Vcn2l1VC4mLd98Ms38v1j7TiU2Qa3gfadk6+YIXq51D5OC8LXRKozoVHH0XJ0yG
3iV8LodPqL2D5wcDuQry8uZ4tEH3lhQbzqIjZKKeJp2WhFZBCuAU98DYjL7plqph
36Ce41+0z4zJXYi8DQ55MPOskOqYCOHFUZxTBw8umhwfK32xD9ao+Qfv27Poh0YT
M6EgZjkKqBBBVZc8NzvuEmHSHMcjI1FdlpZFHhy0DhYmkpPwJ3RHyW+k7g==
=5wg3
-----END PGP SIGNATURE-----


More information about the Pkg-matrix-maintainers mailing list