From: Renaud Allard <renaud@allard.it>
Subject: Re: [security] net/synapse 1.105.1
To: ports@openbsd.org
Date: Mon, 29 Apr 2024 10:18:24 +0200



On 4/29/24 9:43 AM, Landry Breuil wrote:
> Le Mon, Apr 29, 2024 at 09:38:25AM +0200, Renaud Allard a écrit :
>> Hello,
>>
>> This is a small update for net/synapse to 1.105.1 to solve CVE-2024-31208
> 
> can you assess whether this should be backported to 7.5-stable, only a
> single commit, the complete update ?
> 
The commit for the fix is 
https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a

It seems it affects all versions prior to 1.105.1.
I don't think backporting the whole version is really an issue, it might 
be more simple than to just add the fix. There are no breaking changes 
between the versions and I have tested the backport on -stable.

Given that it can more or less corrupt the database by filling the disk, 
it might be a good idea to backport it to -stable.