Mailing List Archive | ports@openbsd.org

ok for post-unlock On 2025/10/07 15:44, Renaud Allard wrote: > Hello, > > Here is a diff for net/synapse to 1.139.1 > Tested on amd64 > > This solves CVE-2025-61672 > Lack of validation for device keys in Synapse before 1.139.1 allows an > attacker registered on the victim homeserver to degrade federation > functionality, unpredictably breaking outbound federation to other > homeservers. > > Best Regards > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/synapse/Makefile,v > diff -u -p -r1.110 Makefile > --- Makefile 18 Sep 2025 15:19:38 -0000 1.110 > +++ Makefile 7 Oct 2025 13:42:07 -0000 > @@ -1,7 +1,6 @@ > COMMENT = open network for secure, decentralized communication > > -MODPY_DISTV = 1.138.0 > -REVISION = 2 > +MODPY_DISTV = 1.139.1 > > GH_ACCOUNT = element-hq > GH_PROJECT = synapse > Index: distinfo > =================================================================== > RCS file: /cvs/ports/net/synapse/distinfo,v > diff -u -p -r1.83 distinfo > --- distinfo 10 Sep 2025 07:35:08 -0000 1.83 > +++ distinfo 7 Oct 2025 13:42:07 -0000 > @@ -76,7 +76,7 @@ SHA256 (cargo/lazy_static-1.5.0.tar.gz) > SHA256 (cargo/libc-0.2.174.tar.gz) = EXFpMpMJmZLhnN3qTouEmWTphG9KzuEbOUi8wze+h3Y= > SHA256 (cargo/libm-0.2.15.tar.gz) = +fu8q1EFL+EE615dNRz3KNMKW+H+FNm+ijsJdIH7l94= > SHA256 (cargo/litemap-0.8.0.tar.gz) = JB6u9f0SyIcFoB/BBmxIxLNuDdQ3fc3H7DlCzqemmVY= > -SHA256 (cargo/log-0.4.27.tar.gz) = E9wt81HjICeDof4NRDdfcpX/tASSZ7DzAYNG3BIqHZQ= > +SHA256 (cargo/log-0.4.28.tar.gz) = NAgFBe+o5FpLgWw0lSXr4yfOqoVZdW8DVsupfvO/dDI= > SHA256 (cargo/lru-slab-0.1.2.tar.gz) = ESs5zsCymLbBmZ/uPjFCf3T2duTLmHntGhIbQ2YaQVQ= > SHA256 (cargo/memchr-2.7.5.tar.gz) = MqKC2mX6rzgobPO+mDIT/PHS4qWHAOgI+D9OqaSAS8A= > SHA256 (cargo/memoffset-0.9.1.tar.gz) = SIAWv65FewNtmWCS9stEhndhHOREnpcM6vQmlSA/IYo= > @@ -124,9 +124,10 @@ SHA256 (cargo/ryu-1.0.20.tar.gz) = KNOys > SHA256 (cargo/schannel-0.1.27.tar.gz) = HynrqjRflFzsn7vFMuswfw/a2BYfKBtjaVOcjYSHaz0= > SHA256 (cargo/security-framework-3.2.0.tar.gz) = JxcgQD9GygT3um9V1Dj4vYeNa4ygoQRugijEFFvLsxY= > SHA256 (cargo/security-framework-sys-2.14.0.tar.gz) = SdsjHVahkEkctK7alSfxrUU0WvULCFFiKnrbjAOwHDI= > -SHA256 (cargo/serde-1.0.219.tar.gz) = Xw4sbtZgYBm04p5p26upWxGFRBDlNH1SUAJFbbu3hrY= > -SHA256 (cargo/serde_derive-1.0.219.tar.gz) = WwJ2z38sczZfcVfIEjwhzZpQ+72ER1evKMofWSX8KgA= > -SHA256 (cargo/serde_json-1.0.143.tar.gz) = 1AGr7x0Qj72cuuvD5GYR9LECH3FKBZenH0HuRj9fSlo= > +SHA256 (cargo/serde-1.0.224.tar.gz) = aq6x6U9TsWOEr1k8ceILCV6VjasdJpOcG3BkXFz7zAs= > +SHA256 (cargo/serde_core-1.0.224.tar.gz) = MvOTkPpjRuJN77zdPZVEuooZmF0K9034UB+/6aZDQas= > +SHA256 (cargo/serde_derive-1.0.224.tar.gz) = h/94q16FYcmmdb/BeFyweuch8O5TMppZXO/YwEwqxOA= > +SHA256 (cargo/serde_json-1.0.145.tar.gz) = QCpvZtjHCRFs8i9VjqshD1pQGH9wLrTX5e842afxx5w= > SHA256 (cargo/serde_urlencoded-0.7.1.tar.gz) = 00kcFHFcoilMTWqI8V6Ec5eIwdAw7tjBEENqr9qi8/0= > SHA256 (cargo/sha1-0.10.6.tar.gz) = 47+Cmi1Rq0pd3xNS2EcMFAytyDAbKuF4nbAj8Bzt1ro= > SHA256 (cargo/sha2-0.10.9.tar.gz) = p1B9gZdp0Bo2WrcHeUpAhDksgk9Up6anhi+MPQiSsoM= > @@ -199,7 +200,7 @@ SHA256 (cargo/zeroize-1.8.1.tar.gz) = zt > SHA256 (cargo/zerotrie-0.2.2.tar.gz) = NvC71HhYP3ntrZeLQHkU9hspcvWvb6CJaGAWvo+a9ZU= > SHA256 (cargo/zerovec-0.11.2.tar.gz) = SgXrCA4BW6OcyeI7vl5/sE1fsEA1D5nzTjONX90pRCg= > SHA256 (cargo/zerovec-derive-0.11.1.tar.gz) = W5YjfvoMh4xkvYnENvZhvk5GsvPv8eu5dvfvIyHS9Y8= > -SHA256 (synapse-1.138.0.tar.gz) = HvSgLweNcUWzxPoGsvBCzZtSiKSmY7LQlbRYYPOShX8= > +SHA256 (synapse-1.139.1.tar.gz) = q/k6/JKTTVjzuUhwKqqtw5irtwVqYmz3ji1XqmvPbeg= > SIZE (cargo/addr2line-0.24.2.tar.gz) = 39015 > SIZE (cargo/adler2-2.0.1.tar.gz) = 13366 > SIZE (cargo/aho-corasick-1.1.3.tar.gz) = 183311 > @@ -278,7 +279,7 @@ SIZE (cargo/lazy_static-1.5.0.tar.gz) = > SIZE (cargo/libc-0.2.174.tar.gz) = 779933 > SIZE (cargo/libm-0.2.15.tar.gz) = 156108 > SIZE (cargo/litemap-0.8.0.tar.gz) = 34344 > -SIZE (cargo/log-0.4.27.tar.gz) = 48120 > +SIZE (cargo/log-0.4.28.tar.gz) = 51131 > SIZE (cargo/lru-slab-0.1.2.tar.gz) = 9090 > SIZE (cargo/memchr-2.7.5.tar.gz) = 97603 > SIZE (cargo/memoffset-0.9.1.tar.gz) = 9032 > @@ -326,9 +327,10 @@ SIZE (cargo/ryu-1.0.20.tar.gz) = 48738 > SIZE (cargo/schannel-0.1.27.tar.gz) = 42772 > SIZE (cargo/security-framework-3.2.0.tar.gz) = 86095 > SIZE (cargo/security-framework-sys-2.14.0.tar.gz) = 20537 > -SIZE (cargo/serde-1.0.219.tar.gz) = 78983 > -SIZE (cargo/serde_derive-1.0.219.tar.gz) = 57798 > -SIZE (cargo/serde_json-1.0.143.tar.gz) = 155342 > +SIZE (cargo/serde-1.0.224.tar.gz) = 28268 > +SIZE (cargo/serde_core-1.0.224.tar.gz) = 62766 > +SIZE (cargo/serde_derive-1.0.224.tar.gz) = 57909 > +SIZE (cargo/serde_json-1.0.145.tar.gz) = 155748 > SIZE (cargo/serde_urlencoded-0.7.1.tar.gz) = 12822 > SIZE (cargo/sha1-0.10.6.tar.gz) = 13517 > SIZE (cargo/sha2-0.10.9.tar.gz) = 29271 > @@ -401,4 +403,4 @@ SIZE (cargo/zeroize-1.8.1.tar.gz) = 2002 > SIZE (cargo/zerotrie-0.2.2.tar.gz) = 74423 > SIZE (cargo/zerovec-0.11.2.tar.gz) = 124500 > SIZE (cargo/zerovec-derive-0.11.1.tar.gz) = 21294 > -SIZE (synapse-1.138.0.tar.gz) = 9114217 > +SIZE (synapse-1.139.1.tar.gz) = 9141608 > Index: modules.inc > =================================================================== > RCS file: /cvs/ports/net/synapse/modules.inc,v > diff -u -p -r1.46 modules.inc > --- modules.inc 10 Sep 2025 07:35:08 -0000 1.46 > +++ modules.inc 7 Oct 2025 13:42:07 -0000 > @@ -76,7 +76,7 @@ MODCARGO_CRATES += lazy_static 1.5.0 # M > MODCARGO_CRATES += libc 0.2.174 # MIT OR Apache-2.0 > MODCARGO_CRATES += libm 0.2.15 # MIT > MODCARGO_CRATES += litemap 0.8.0 # Unicode-3.0 > -MODCARGO_CRATES += log 0.4.27 # MIT OR Apache-2.0 > +MODCARGO_CRATES += log 0.4.28 # MIT OR Apache-2.0 > MODCARGO_CRATES += lru-slab 0.1.2 # MIT OR Apache-2.0 OR Zlib > MODCARGO_CRATES += memchr 2.7.5 # Unlicense OR MIT > MODCARGO_CRATES += memoffset 0.9.1 # MIT > @@ -124,9 +124,10 @@ MODCARGO_CRATES += ryu 1.0.20 # Apache-2 > MODCARGO_CRATES += schannel 0.1.27 # MIT > MODCARGO_CRATES += security-framework 3.2.0 # MIT OR Apache-2.0 > MODCARGO_CRATES += security-framework-sys 2.14.0 # MIT OR Apache-2.0 > -MODCARGO_CRATES += serde 1.0.219 # MIT OR Apache-2.0 > -MODCARGO_CRATES += serde_derive 1.0.219 # MIT OR Apache-2.0 > -MODCARGO_CRATES += serde_json 1.0.143 # MIT OR Apache-2.0 > +MODCARGO_CRATES += serde 1.0.224 # MIT OR Apache-2.0 > +MODCARGO_CRATES += serde_core 1.0.224 # MIT OR Apache-2.0 > +MODCARGO_CRATES += serde_derive 1.0.224 # MIT OR Apache-2.0 > +MODCARGO_CRATES += serde_json 1.0.145 # MIT OR Apache-2.0 > MODCARGO_CRATES += serde_urlencoded 0.7.1 # MIT/Apache-2.0 > MODCARGO_CRATES += sha1 0.10.6 # MIT OR Apache-2.0 > MODCARGO_CRATES += sha2 0.10.9 # MIT OR Apache-2.0 > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/net/synapse/pkg/PLIST,v > diff -u -p -r1.70 PLIST > --- pkg/PLIST 18 Sep 2025 15:19:38 -0000 1.70 > +++ pkg/PLIST 7 Oct 2025 13:42:07 -0000 > @@ -14,14 +14,13 @@ bin/synapse_worker > bin/synctl > bin/update_synapse_database > lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/ > +lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/AUTHORS.rst > +lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/LICENSE-AGPL-3.0 > +lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/LICENSE-COMMERCIAL > lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/METADATA > lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/RECORD > lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/WHEEL > lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/entry_points.txt > -lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/ > -lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/AUTHORS.rst > -lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/LICENSE-AGPL-3.0 > -lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/LICENSE-COMMERCIAL > lib/python${MODPY_VERSION}/site-packages/synapse/ > lib/python${MODPY_VERSION}/site-packages/synapse/__init__.py > ${MODPY_COMMENT}lib/python${MODPY_VERSION}/site-packages/synapse/${MODPY_PYCACHE}/ > @@ -2200,6 +2199,7 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/07_add_user_reports.sql > lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/07_event_txn_id_device_id_txn_id2.sql > lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/08_room_ban_redactions.sql > +lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/08_thread_subscriptions_seq_fixup.sql.postgres > lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/09_thread_subscriptions_update.sql > lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/09_thread_subscriptions_update.sql.postgres > lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/full_schemas/ > @@ -2318,6 +2318,8 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}cancellation.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}check_dependencies.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}check_dependencies.${MODPY_PYC_MAGIC_TAG}pyc > +lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}clock.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > +lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}clock.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}constants.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}constants.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}daemonize.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > @@ -2338,6 +2340,8 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}httpresourcetree.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}iterutils.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}iterutils.${MODPY_PYC_MAGIC_TAG}pyc > +lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}json.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > +lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}json.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}linked_list.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}linked_list.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}logcontext.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > @@ -2366,6 +2370,8 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}rlimit.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}rust.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}rust.${MODPY_PYC_MAGIC_TAG}pyc > +lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}sentinel.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > +lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}sentinel.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}stringutils.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}stringutils.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}task_scheduler.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > @@ -2415,6 +2421,7 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/synapse/util/caches/ttlcache.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/cancellation.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/check_dependencies.py > +lib/python${MODPY_VERSION}/site-packages/synapse/util/clock.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/constants.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/daemonize.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/distributor.py > @@ -2425,6 +2432,7 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/synapse/util/hash.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/httpresourcetree.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/iterutils.py > +lib/python${MODPY_VERSION}/site-packages/synapse/util/json.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/linked_list.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/logcontext.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/logformatter.py > @@ -2439,6 +2447,7 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/synapse/util/retryutils.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/rlimit.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/rust.py > +lib/python${MODPY_VERSION}/site-packages/synapse/util/sentinel.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/stringutils.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/task_scheduler.py > lib/python${MODPY_VERSION}/site-packages/synapse/util/templates.py

2025-10-07 13:44 Renaud Allard:
[security] net/synapse 1.139.1
- 2025-10-07 14:50 Stuart Henderson:
  [security] net/synapse 1.139.1
- - 2025-10-08 12:05 Renaud Allard:
    [security] net/synapse 1.139.2