Download raw body.
[security] net/synapse 1.139.1
Hello,
Here is a diff for net/synapse to 1.139.1
Tested on amd64
This solves CVE-2025-61672
Lack of validation for device keys in Synapse before 1.139.1 allows an
attacker registered on the victim homeserver to degrade federation
functionality, unpredictably breaking outbound federation to other
homeservers.
Best Regards
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/synapse/Makefile,v
diff -u -p -r1.110 Makefile
--- Makefile 18 Sep 2025 15:19:38 -0000 1.110
+++ Makefile 7 Oct 2025 13:42:07 -0000
@@ -1,7 +1,6 @@
COMMENT = open network for secure, decentralized communication
-MODPY_DISTV = 1.138.0
-REVISION = 2
+MODPY_DISTV = 1.139.1
GH_ACCOUNT = element-hq
GH_PROJECT = synapse
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/synapse/distinfo,v
diff -u -p -r1.83 distinfo
--- distinfo 10 Sep 2025 07:35:08 -0000 1.83
+++ distinfo 7 Oct 2025 13:42:07 -0000
@@ -76,7 +76,7 @@ SHA256 (cargo/lazy_static-1.5.0.tar.gz)
SHA256 (cargo/libc-0.2.174.tar.gz) = EXFpMpMJmZLhnN3qTouEmWTphG9KzuEbOUi8wze+h3Y=
SHA256 (cargo/libm-0.2.15.tar.gz) = +fu8q1EFL+EE615dNRz3KNMKW+H+FNm+ijsJdIH7l94=
SHA256 (cargo/litemap-0.8.0.tar.gz) = JB6u9f0SyIcFoB/BBmxIxLNuDdQ3fc3H7DlCzqemmVY=
-SHA256 (cargo/log-0.4.27.tar.gz) = E9wt81HjICeDof4NRDdfcpX/tASSZ7DzAYNG3BIqHZQ=
+SHA256 (cargo/log-0.4.28.tar.gz) = NAgFBe+o5FpLgWw0lSXr4yfOqoVZdW8DVsupfvO/dDI=
SHA256 (cargo/lru-slab-0.1.2.tar.gz) = ESs5zsCymLbBmZ/uPjFCf3T2duTLmHntGhIbQ2YaQVQ=
SHA256 (cargo/memchr-2.7.5.tar.gz) = MqKC2mX6rzgobPO+mDIT/PHS4qWHAOgI+D9OqaSAS8A=
SHA256 (cargo/memoffset-0.9.1.tar.gz) = SIAWv65FewNtmWCS9stEhndhHOREnpcM6vQmlSA/IYo=
@@ -124,9 +124,10 @@ SHA256 (cargo/ryu-1.0.20.tar.gz) = KNOys
SHA256 (cargo/schannel-0.1.27.tar.gz) = HynrqjRflFzsn7vFMuswfw/a2BYfKBtjaVOcjYSHaz0=
SHA256 (cargo/security-framework-3.2.0.tar.gz) = JxcgQD9GygT3um9V1Dj4vYeNa4ygoQRugijEFFvLsxY=
SHA256 (cargo/security-framework-sys-2.14.0.tar.gz) = SdsjHVahkEkctK7alSfxrUU0WvULCFFiKnrbjAOwHDI=
-SHA256 (cargo/serde-1.0.219.tar.gz) = Xw4sbtZgYBm04p5p26upWxGFRBDlNH1SUAJFbbu3hrY=
-SHA256 (cargo/serde_derive-1.0.219.tar.gz) = WwJ2z38sczZfcVfIEjwhzZpQ+72ER1evKMofWSX8KgA=
-SHA256 (cargo/serde_json-1.0.143.tar.gz) = 1AGr7x0Qj72cuuvD5GYR9LECH3FKBZenH0HuRj9fSlo=
+SHA256 (cargo/serde-1.0.224.tar.gz) = aq6x6U9TsWOEr1k8ceILCV6VjasdJpOcG3BkXFz7zAs=
+SHA256 (cargo/serde_core-1.0.224.tar.gz) = MvOTkPpjRuJN77zdPZVEuooZmF0K9034UB+/6aZDQas=
+SHA256 (cargo/serde_derive-1.0.224.tar.gz) = h/94q16FYcmmdb/BeFyweuch8O5TMppZXO/YwEwqxOA=
+SHA256 (cargo/serde_json-1.0.145.tar.gz) = QCpvZtjHCRFs8i9VjqshD1pQGH9wLrTX5e842afxx5w=
SHA256 (cargo/serde_urlencoded-0.7.1.tar.gz) = 00kcFHFcoilMTWqI8V6Ec5eIwdAw7tjBEENqr9qi8/0=
SHA256 (cargo/sha1-0.10.6.tar.gz) = 47+Cmi1Rq0pd3xNS2EcMFAytyDAbKuF4nbAj8Bzt1ro=
SHA256 (cargo/sha2-0.10.9.tar.gz) = p1B9gZdp0Bo2WrcHeUpAhDksgk9Up6anhi+MPQiSsoM=
@@ -199,7 +200,7 @@ SHA256 (cargo/zeroize-1.8.1.tar.gz) = zt
SHA256 (cargo/zerotrie-0.2.2.tar.gz) = NvC71HhYP3ntrZeLQHkU9hspcvWvb6CJaGAWvo+a9ZU=
SHA256 (cargo/zerovec-0.11.2.tar.gz) = SgXrCA4BW6OcyeI7vl5/sE1fsEA1D5nzTjONX90pRCg=
SHA256 (cargo/zerovec-derive-0.11.1.tar.gz) = W5YjfvoMh4xkvYnENvZhvk5GsvPv8eu5dvfvIyHS9Y8=
-SHA256 (synapse-1.138.0.tar.gz) = HvSgLweNcUWzxPoGsvBCzZtSiKSmY7LQlbRYYPOShX8=
+SHA256 (synapse-1.139.1.tar.gz) = q/k6/JKTTVjzuUhwKqqtw5irtwVqYmz3ji1XqmvPbeg=
SIZE (cargo/addr2line-0.24.2.tar.gz) = 39015
SIZE (cargo/adler2-2.0.1.tar.gz) = 13366
SIZE (cargo/aho-corasick-1.1.3.tar.gz) = 183311
@@ -278,7 +279,7 @@ SIZE (cargo/lazy_static-1.5.0.tar.gz) =
SIZE (cargo/libc-0.2.174.tar.gz) = 779933
SIZE (cargo/libm-0.2.15.tar.gz) = 156108
SIZE (cargo/litemap-0.8.0.tar.gz) = 34344
-SIZE (cargo/log-0.4.27.tar.gz) = 48120
+SIZE (cargo/log-0.4.28.tar.gz) = 51131
SIZE (cargo/lru-slab-0.1.2.tar.gz) = 9090
SIZE (cargo/memchr-2.7.5.tar.gz) = 97603
SIZE (cargo/memoffset-0.9.1.tar.gz) = 9032
@@ -326,9 +327,10 @@ SIZE (cargo/ryu-1.0.20.tar.gz) = 48738
SIZE (cargo/schannel-0.1.27.tar.gz) = 42772
SIZE (cargo/security-framework-3.2.0.tar.gz) = 86095
SIZE (cargo/security-framework-sys-2.14.0.tar.gz) = 20537
-SIZE (cargo/serde-1.0.219.tar.gz) = 78983
-SIZE (cargo/serde_derive-1.0.219.tar.gz) = 57798
-SIZE (cargo/serde_json-1.0.143.tar.gz) = 155342
+SIZE (cargo/serde-1.0.224.tar.gz) = 28268
+SIZE (cargo/serde_core-1.0.224.tar.gz) = 62766
+SIZE (cargo/serde_derive-1.0.224.tar.gz) = 57909
+SIZE (cargo/serde_json-1.0.145.tar.gz) = 155748
SIZE (cargo/serde_urlencoded-0.7.1.tar.gz) = 12822
SIZE (cargo/sha1-0.10.6.tar.gz) = 13517
SIZE (cargo/sha2-0.10.9.tar.gz) = 29271
@@ -401,4 +403,4 @@ SIZE (cargo/zeroize-1.8.1.tar.gz) = 2002
SIZE (cargo/zerotrie-0.2.2.tar.gz) = 74423
SIZE (cargo/zerovec-0.11.2.tar.gz) = 124500
SIZE (cargo/zerovec-derive-0.11.1.tar.gz) = 21294
-SIZE (synapse-1.138.0.tar.gz) = 9114217
+SIZE (synapse-1.139.1.tar.gz) = 9141608
Index: modules.inc
===================================================================
RCS file: /cvs/ports/net/synapse/modules.inc,v
diff -u -p -r1.46 modules.inc
--- modules.inc 10 Sep 2025 07:35:08 -0000 1.46
+++ modules.inc 7 Oct 2025 13:42:07 -0000
@@ -76,7 +76,7 @@ MODCARGO_CRATES += lazy_static 1.5.0 # M
MODCARGO_CRATES += libc 0.2.174 # MIT OR Apache-2.0
MODCARGO_CRATES += libm 0.2.15 # MIT
MODCARGO_CRATES += litemap 0.8.0 # Unicode-3.0
-MODCARGO_CRATES += log 0.4.27 # MIT OR Apache-2.0
+MODCARGO_CRATES += log 0.4.28 # MIT OR Apache-2.0
MODCARGO_CRATES += lru-slab 0.1.2 # MIT OR Apache-2.0 OR Zlib
MODCARGO_CRATES += memchr 2.7.5 # Unlicense OR MIT
MODCARGO_CRATES += memoffset 0.9.1 # MIT
@@ -124,9 +124,10 @@ MODCARGO_CRATES += ryu 1.0.20 # Apache-2
MODCARGO_CRATES += schannel 0.1.27 # MIT
MODCARGO_CRATES += security-framework 3.2.0 # MIT OR Apache-2.0
MODCARGO_CRATES += security-framework-sys 2.14.0 # MIT OR Apache-2.0
-MODCARGO_CRATES += serde 1.0.219 # MIT OR Apache-2.0
-MODCARGO_CRATES += serde_derive 1.0.219 # MIT OR Apache-2.0
-MODCARGO_CRATES += serde_json 1.0.143 # MIT OR Apache-2.0
+MODCARGO_CRATES += serde 1.0.224 # MIT OR Apache-2.0
+MODCARGO_CRATES += serde_core 1.0.224 # MIT OR Apache-2.0
+MODCARGO_CRATES += serde_derive 1.0.224 # MIT OR Apache-2.0
+MODCARGO_CRATES += serde_json 1.0.145 # MIT OR Apache-2.0
MODCARGO_CRATES += serde_urlencoded 0.7.1 # MIT/Apache-2.0
MODCARGO_CRATES += sha1 0.10.6 # MIT OR Apache-2.0
MODCARGO_CRATES += sha2 0.10.9 # MIT OR Apache-2.0
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/net/synapse/pkg/PLIST,v
diff -u -p -r1.70 PLIST
--- pkg/PLIST 18 Sep 2025 15:19:38 -0000 1.70
+++ pkg/PLIST 7 Oct 2025 13:42:07 -0000
@@ -14,14 +14,13 @@ bin/synapse_worker
bin/synctl
bin/update_synapse_database
lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/
+lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/AUTHORS.rst
+lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/LICENSE-AGPL-3.0
+lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/LICENSE-COMMERCIAL
lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/METADATA
lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/RECORD
lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/WHEEL
lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/entry_points.txt
-lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/
-lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/AUTHORS.rst
-lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/LICENSE-AGPL-3.0
-lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/LICENSE-COMMERCIAL
lib/python${MODPY_VERSION}/site-packages/synapse/
lib/python${MODPY_VERSION}/site-packages/synapse/__init__.py
${MODPY_COMMENT}lib/python${MODPY_VERSION}/site-packages/synapse/${MODPY_PYCACHE}/
@@ -2200,6 +2199,7 @@ lib/python${MODPY_VERSION}/site-packages
lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/07_add_user_reports.sql
lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/07_event_txn_id_device_id_txn_id2.sql
lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/08_room_ban_redactions.sql
+lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/08_thread_subscriptions_seq_fixup.sql.postgres
lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/09_thread_subscriptions_update.sql
lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/09_thread_subscriptions_update.sql.postgres
lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/full_schemas/
@@ -2318,6 +2318,8 @@ lib/python${MODPY_VERSION}/site-packages
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}cancellation.${MODPY_PYC_MAGIC_TAG}pyc
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}check_dependencies.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}check_dependencies.${MODPY_PYC_MAGIC_TAG}pyc
+lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}clock.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
+lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}clock.${MODPY_PYC_MAGIC_TAG}pyc
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}constants.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}constants.${MODPY_PYC_MAGIC_TAG}pyc
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}daemonize.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
@@ -2338,6 +2340,8 @@ lib/python${MODPY_VERSION}/site-packages
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}httpresourcetree.${MODPY_PYC_MAGIC_TAG}pyc
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}iterutils.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}iterutils.${MODPY_PYC_MAGIC_TAG}pyc
+lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}json.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
+lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}json.${MODPY_PYC_MAGIC_TAG}pyc
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}linked_list.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}linked_list.${MODPY_PYC_MAGIC_TAG}pyc
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}logcontext.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
@@ -2366,6 +2370,8 @@ lib/python${MODPY_VERSION}/site-packages
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}rlimit.${MODPY_PYC_MAGIC_TAG}pyc
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}rust.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}rust.${MODPY_PYC_MAGIC_TAG}pyc
+lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}sentinel.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
+lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}sentinel.${MODPY_PYC_MAGIC_TAG}pyc
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}stringutils.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}stringutils.${MODPY_PYC_MAGIC_TAG}pyc
lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}task_scheduler.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
@@ -2415,6 +2421,7 @@ lib/python${MODPY_VERSION}/site-packages
lib/python${MODPY_VERSION}/site-packages/synapse/util/caches/ttlcache.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/cancellation.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/check_dependencies.py
+lib/python${MODPY_VERSION}/site-packages/synapse/util/clock.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/constants.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/daemonize.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/distributor.py
@@ -2425,6 +2432,7 @@ lib/python${MODPY_VERSION}/site-packages
lib/python${MODPY_VERSION}/site-packages/synapse/util/hash.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/httpresourcetree.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/iterutils.py
+lib/python${MODPY_VERSION}/site-packages/synapse/util/json.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/linked_list.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/logcontext.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/logformatter.py
@@ -2439,6 +2447,7 @@ lib/python${MODPY_VERSION}/site-packages
lib/python${MODPY_VERSION}/site-packages/synapse/util/retryutils.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/rlimit.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/rust.py
+lib/python${MODPY_VERSION}/site-packages/synapse/util/sentinel.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/stringutils.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/task_scheduler.py
lib/python${MODPY_VERSION}/site-packages/synapse/util/templates.py
[security] net/synapse 1.139.1