community/synapse: security upgrade to 1.105.1 (!64425) · Merge requests · alpine / aports

fossdd requested to merge fossdd/aports:synapse-1.105.0-r0 into master Apr 18, 2024

https://github.com/element-hq/synapse/releases/tag/v1.105.0

https://github.com/element-hq/synapse/releases/tag/v1.105.1

In 1.105.1:

Weakness in auth chain indexing allows DoS from remote room members through disk fill and high CPU usage.

A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.104.1, can dispatch specially crafted events to exploit a weakness in how the auth chain cover index is calculated. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service.

Servers in private federations, or those that do not federate, are not affected.

Edited Apr 24, 2024 by fossdd

community/synapse: security upgrade to 1.105.1

Merge request reports