Detections
Analytics

FreeBSD : py-matrix-synapse -- multiple vulnerabilities (38d2df4d-b143-11e9-87e7-901b0e934d69)

high Nessus Plugin ID 127106

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Matrix developers report :

The matrix team releases Synapse 1.2.1 as a critical security update.
It contains patches relating to redactions and event federation :

- Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms.

- Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely.

- Prevent an attack where users could be joined or parted from public rooms without their consent.

- Fix a vulnerability where a federated server could spoof read-receipts from users on other servers.

- It was possible for a room moderator to send a redaction for an m.room.create event, which would downgrade the room to version 1.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?f62a8cf5

https://github.com/matrix-org/synapse/releases/tag/v1.2.1

http://www.nessus.org/u?0df18e6f

Plugin Details

Severity: High

ID: 127106

File Name: freebsd_pkg_38d2df4db14311e987e7901b0e934d69.nasl

Version: 1.1

Type: local

Published: 7/29/2019

Updated: 7/29/2019

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:py27-matrix-synapse, p-cpe:/a:freebsd:freebsd:py35-matrix-synapse, p-cpe:/a:freebsd:freebsd:py36-matrix-synapse, p-cpe:/a:freebsd:freebsd:py37-matrix-synapse, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 7/28/2019

Vulnerability Publication Date: 7/26/2019