[Pkg-matrix-maintainers] Bug#1088995: matrix-synapse: CVE-2024-52805 CVE-2024-52815 CVE-2024-53863 CVE-2024-53867
Salvatore Bonaccorso
carnil at debian.org
Tue Dec 3 21:38:05 GMT 2024
Source: matrix-synapse
Version: 1.116.0-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for matrix-synapse.
CVE-2024-52805[0]:
| Synapse is an open-source Matrix homeserver. In Synapse before
| 1.120.1, multipart/form-data requests can in certain configurations
| transiently increase memory consumption beyond expected levels while
| processing the request, which can be used to amplify denial of
| service attacks. Synapse 1.120.1 resolves the issue by denying
| requests with unsupported multipart/form-data content type.
CVE-2024-52815[1]:
| Synapse is an open-source Matrix homeserver. Synapse versions before
| 1.120.1 fail to properly validate invites received over federation.
| This vulnerability allows a malicious server to send a specially
| crafted invite that disrupts the invited user's /sync functionality.
| Synapse 1.120.1 rejects such invalid invites received over
| federation and restores the ability to sync for affected users.
CVE-2024-53863[2]:
| Synapse is an open-source Matrix homeserver. In Synapse versions
| before 1.120.1, enabling the dynamic_thumbnails option or processing
| a specially crafted request could trigger the decoding and thumbnail
| generation of uncommon image formats, potentially invoking external
| tools like Ghostscript for processing. This significantly expands
| the attack surface in a historically vulnerable area, presenting a
| risk that far outweighs the benefit, particularly since these
| formats are rarely used on the open web or within the Matrix
| ecosystem. Synapse 1.120.1 addresses the issue by restricting
| thumbnail generation to images in the following widely used formats:
| PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.
CVE-2024-53867[3]:
| Synapse is an open-source Matrix homeserver. The Sliding Sync
| feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak
| partial room state changes to users no longer in a room. Non-state
| events, like messages, are unaffected. This vulnerability is fixed
| in 1.120.1.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-52805
https://www.cve.org/CVERecord?id=CVE-2024-52805
https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2
[1] https://security-tracker.debian.org/tracker/CVE-2024-52815
https://www.cve.org/CVERecord?id=CVE-2024-52815
https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h
[2] https://security-tracker.debian.org/tracker/CVE-2024-53863
https://www.cve.org/CVERecord?id=CVE-2024-53863
https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g
[3] https://security-tracker.debian.org/tracker/CVE-2024-53867
https://www.cve.org/CVERecord?id=CVE-2024-53867
https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h
Regards,
Salvatore
More information about the Pkg-matrix-maintainers
mailing list