166 lines
9.0 KiB
JSON
166 lines
9.0 KiB
JSON
{
|
|
"Definition": [
|
|
{
|
|
"ID": "oval:org.altlinux.errata:def:20211385",
|
|
"Version": "oval:org.altlinux.errata:def:20211385",
|
|
"Class": "patch",
|
|
"Metadata": {
|
|
"Title": "ALT-PU-2021-1385: package `matrix-synapse` update to version 1.27.0-alt1",
|
|
"AffectedList": [
|
|
{
|
|
"Family": "unix",
|
|
"Platforms": [
|
|
"ALT Linux branch p10"
|
|
],
|
|
"Products": [
|
|
"ALT Server",
|
|
"ALT Virtualization Server",
|
|
"ALT Workstation",
|
|
"ALT Workstation K",
|
|
"ALT Education",
|
|
"Simply Linux",
|
|
"Starterkit"
|
|
]
|
|
}
|
|
],
|
|
"References": [
|
|
{
|
|
"RefID": "ALT-PU-2021-1385",
|
|
"RefURL": "https://errata.altlinux.org/ALT-PU-2021-1385",
|
|
"Source": "ALTPU"
|
|
},
|
|
{
|
|
"RefID": "CVE-2020-26257",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-26257",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2021-21273",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-21273",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2021-21274",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-21274",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2021-21332",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-21332",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2021-21333",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-21333",
|
|
"Source": "CVE"
|
|
}
|
|
],
|
|
"Description": "This update upgrades matrix-synapse to version 1.27.0-alt1. \nSecurity Fix(es):\n\n * CVE-2020-26257: Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference \"homeserver\" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join`, `/send_leave`, `/invite` or `/exchange_third_party_invite` request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers. The Matrix Synapse reference implementation before version 1.23.1 the implementation is vulnerable to this injection attack. Issue is fixed in version 1.23.1. As a workaround homeserver administrators could limit access to the federation API to trusted servers (for example via `federation_domain_whitelist`).\n\n * CVE-2021-21273: Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated `federation_ip_range_blacklist` from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new `ip_range_blacklist` and `ip_range_whitelist` settings if more specific control is necessary.\n\n * CVE-2021-21274: Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server which accepts federation requests from untrusted servers. Issue is resolved in version 1.25.0. As a workaround the `federation_domain_whitelist` setting can be used to restrict the homeservers communicated with over federation.\n\n * CVE-2021-21332: Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. This is fixed in version 1.27.0.\n\n * CVE-2021-21333: Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0.",
|
|
"Advisory": {
|
|
"From": "errata.altlinux.org",
|
|
"Severity": "High",
|
|
"Rights": "Copyright 2024 BaseALT Ltd.",
|
|
"Issued": {
|
|
"Date": "2021-02-24"
|
|
},
|
|
"Updated": {
|
|
"Date": "2021-02-24"
|
|
},
|
|
"BDUs": null,
|
|
"CVEs": [
|
|
{
|
|
"ID": "CVE-2020-26257",
|
|
"CVSS": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
|
|
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
|
|
"CWE": "CWE-400",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-26257",
|
|
"Impact": "Low",
|
|
"Public": "20201209"
|
|
},
|
|
{
|
|
"ID": "CVE-2021-21273",
|
|
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
|
|
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
|
"CWE": "CWE-601",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-21273",
|
|
"Impact": "Low",
|
|
"Public": "20210226"
|
|
},
|
|
{
|
|
"ID": "CVE-2021-21274",
|
|
"CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
|
|
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
|
|
"CWE": "CWE-770",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-21274",
|
|
"Impact": "Low",
|
|
"Public": "20210226"
|
|
},
|
|
{
|
|
"ID": "CVE-2021-21332",
|
|
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
|
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
|
|
"CWE": "CWE-79",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-21332",
|
|
"Impact": "High",
|
|
"Public": "20210326"
|
|
},
|
|
{
|
|
"ID": "CVE-2021-21333",
|
|
"CVSS": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
|
|
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
|
|
"CWE": "CWE-79",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-21333",
|
|
"Impact": "Low",
|
|
"Public": "20210326"
|
|
}
|
|
],
|
|
"AffectedCPEs": {
|
|
"CPEs": [
|
|
"cpe:/o:alt:kworkstation:10",
|
|
"cpe:/o:alt:workstation:10",
|
|
"cpe:/o:alt:server:10",
|
|
"cpe:/o:alt:server-v:10",
|
|
"cpe:/o:alt:education:10",
|
|
"cpe:/o:alt:slinux:10",
|
|
"cpe:/o:alt:starterkit:p10",
|
|
"cpe:/o:alt:kworkstation:10.1",
|
|
"cpe:/o:alt:workstation:10.1",
|
|
"cpe:/o:alt:server:10.1",
|
|
"cpe:/o:alt:server-v:10.1",
|
|
"cpe:/o:alt:education:10.1",
|
|
"cpe:/o:alt:slinux:10.1",
|
|
"cpe:/o:alt:starterkit:10.1",
|
|
"cpe:/o:alt:kworkstation:10.2",
|
|
"cpe:/o:alt:workstation:10.2",
|
|
"cpe:/o:alt:server:10.2",
|
|
"cpe:/o:alt:server-v:10.2",
|
|
"cpe:/o:alt:education:10.2",
|
|
"cpe:/o:alt:slinux:10.2",
|
|
"cpe:/o:alt:starterkit:10.2"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"Criteria": {
|
|
"Operator": "AND",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:2001",
|
|
"Comment": "ALT Linux must be installed"
|
|
}
|
|
],
|
|
"Criterias": [
|
|
{
|
|
"Operator": "OR",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20211385001",
|
|
"Comment": "matrix-synapse is earlier than 0:1.27.0-alt1"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
} |