Subject: CVS commit: pkgsrc/chat/matrix-synapse
From: Greg Troxel
Date: 2021-11-23 13:47:51
Message id: 20211123124752.0D02EFAEC@cvs.NetBSD.org

Log Message:
chat/matrix-synapse: Update to 1.47.1 (security)

Synapse 1.47.1 (2021-11-23)
===========================

This release fixes a security issue in the media store, affecting all prior \ 
releases of Synapse. Server administrators are encouraged to update Synapse as \ 
soon as possible. We are not aware of these vulnerabilities being exploited in \ 
the wild.

Server administrators who are unable to update Synapse may use the workarounds \ 
described in the linked GitHub Security Advisory below.

Security advisory
-----------------

The following issue is fixed in 1.47.1.

- \ 
**[GHSA-3hfw-x7gx-437c](https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c) \ 
/ \ 
[CVE-2021-41281](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41281): \ 
Path traversal when downloading remote media.**

  Synapse instances with the media repository enabled can be tricked into \ 
downloading a file from a remote server into an arbitrary directory, potentially \ 
outside the media store directory.

  The last two directories and file name of the path are chosen randomly by \ 
Synapse and cannot be controlled by an attacker, which limits the impact.

  Homeservers with the media repository disabled are unaffected. Homeservers \ 
configured with a federation whitelist are also unaffected.

  Fixed by [91f2bd090](https://github.com/matrix-org/synapse/commit/91f2bd090).

Files:
RevisionActionfile
1.28modifypkgsrc/chat/matrix-synapse/distinfo
1.36modifypkgsrc/chat/matrix-synapse/Makefile