Subject: CVS commit: pkgsrc/chat/matrix-synapse
From: Greg Troxel
Date: 2021-11-23 13:47:51
Message id:

Log Message:
chat/matrix-synapse: Update to 1.47.1 (security)

Synapse 1.47.1 (2021-11-23)

This release fixes a security issue in the media store, affecting all prior \ 
releases of Synapse. Server administrators are encouraged to update Synapse as \ 
soon as possible. We are not aware of these vulnerabilities being exploited in \ 
the wild.

Server administrators who are unable to update Synapse may use the workarounds \ 
described in the linked GitHub Security Advisory below.

Security advisory

The following issue is fixed in 1.47.1.

- \ 
**[GHSA-3hfw-x7gx-437c]( \ 
/ \ 
[CVE-2021-41281]( \ 
Path traversal when downloading remote media.**

  Synapse instances with the media repository enabled can be tricked into \ 
downloading a file from a remote server into an arbitrary directory, potentially \ 
outside the media store directory.

  The last two directories and file name of the path are chosen randomly by \ 
Synapse and cannot be controlled by an attacker, which limits the impact.

  Homeservers with the media repository disabled are unaffected. Homeservers \ 
configured with a federation whitelist are also unaffected.

  Fixed by [91f2bd090](