Path to this page:
Subject: CVS commit: pkgsrc/chat/matrix-synapse
From: Greg Troxel
Date: 2021-11-23 13:47:51
Message id: 20211123124752.0D02EFAEC@cvs.NetBSD.org
Log Message:
chat/matrix-synapse: Update to 1.47.1 (security)
Synapse 1.47.1 (2021-11-23)
===========================
This release fixes a security issue in the media store, affecting all prior \
releases of Synapse. Server administrators are encouraged to update Synapse as \
soon as possible. We are not aware of these vulnerabilities being exploited in \
the wild.
Server administrators who are unable to update Synapse may use the workarounds \
described in the linked GitHub Security Advisory below.
Security advisory
-----------------
The following issue is fixed in 1.47.1.
- \
**[GHSA-3hfw-x7gx-437c](https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c) \
/ \
[CVE-2021-41281](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41281): \
Path traversal when downloading remote media.**
Synapse instances with the media repository enabled can be tricked into \
downloading a file from a remote server into an arbitrary directory, potentially \
outside the media store directory.
The last two directories and file name of the path are chosen randomly by \
Synapse and cannot be controlled by an attacker, which limits the impact.
Homeservers with the media repository disabled are unaffected. Homeservers \
configured with a federation whitelist are also unaffected.
Fixed by [91f2bd090](https://github.com/matrix-org/synapse/commit/91f2bd090).
Files: