git: 1d034041502f - main - security/vuxml: Document py-matrix-synapse vulnerabilities

Ashish SHUKLA ashish at FreeBSD.org
Thu Sep 2 14:38:29 UTC 2021 

The branch main has been updated by ashish:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1d034041502f6783f8259b91b23e650c79fc4f6d

commit 1d034041502f6783f8259b91b23e650c79fc4f6d
Author:     Ashish SHUKLA <ashish at FreeBSD.org>
AuthorDate: 2021-09-02 14:31:26 +0000
Commit:     Ashish SHUKLA <ashish at FreeBSD.org>
CommitDate: 2021-09-02 14:31:26 +0000

    security/vuxml: Document py-matrix-synapse vulnerabilities
    
    PR:             258187
    Reported by:    Sascha Biberhofer <ports at skyforge.at>
    Security:       a67e358c-0bf6-11ec-875e-901b0e9408dc
    Security:       CVE-2021-39163
    Security:       CVE-2021-39164
---
 security/vuxml/vuln-2021.xml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
index 2b7395808059..31ce37c2583d 100644
--- a/security/vuxml/vuln-2021.xml
+++ b/security/vuxml/vuln-2021.xml
@@ -1,3 +1,42 @@
+  <vuln vid="a67e358c-0bf6-11ec-875e-901b0e9408dc">
+    <topic>py-matrix-synapse -- several vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>py36-matrix-synapse</name>
+	<name>py37-matrix-synapse</name>
+	<name>py38-matrix-synapse</name>
+	<name>py39-matrix-synapse</name>
+	<name>py310-matrix-synapse</name>
+	<range><lt>1.41.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Matrix developers report:</p>
+	<blockquote cite="https://matrix.org/blog/2021/08/31/synapse-1-41-1-released">
+	  <p>This release patches two moderate severity issues which
+	  could reveal metadata about private rooms:</p>
+	  <ul>
+	    <li>CVE-2021-39164: Enumerating a private room's list of
+	    members and their display names.</li>
+	    <li>CVE-2021-39163: Disclosing a private room's name,
+	    avatar, topic, and number of members.</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <freebsdpr>ports/258187</freebsdpr>
+      <cvename>CVE-2021-39164</cvename>
+      <cvename>CVE-2021-39163</cvename>
+      <url>https://matrix.org/blog/2021/08/31/synapse-1-41-1-released</url>
+    </references>
+    <dates>
+      <discovery>2021-08-31</discovery>
+      <entry>2021-09-02</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="032643d7-0ba7-11ec-a689-080027e50e6d">
     <topic>Python -- multiple vulnerabilities</topic>
     <affects>

More information about the dev-commits-ports-all mailing list