From: Renaud Allard Subject: Re: [security] net/synapse 1.105.1 To: Landry Breuil Cc: ports@openbsd.org Date: Mon, 29 Apr 2024 13:51:50 +0200 On 4/29/24 1:17 PM, Landry Breuil wrote: > Le Mon, Apr 29, 2024 at 10:18:24AM +0200, Renaud Allard a écrit : >> >> >> On 4/29/24 9:43 AM, Landry Breuil wrote: >>> Le Mon, Apr 29, 2024 at 09:38:25AM +0200, Renaud Allard a écrit : >>>> Hello, >>>> >>>> This is a small update for net/synapse to 1.105.1 to solve CVE-2024-31208 >>> >>> can you assess whether this should be backported to 7.5-stable, only a >>> single commit, the complete update ? >>> >> The commit for the fix is https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a >> >> It seems it affects all versions prior to 1.105.1. >> I don't think backporting the whole version is really an issue, it might be >> more simple than to just add the fix. There are no breaking changes between >> the versions and I have tested the backport on -stable. >> >> Given that it can more or less corrupt the database by filling the disk, it >> might be a good idea to backport it to -stable. > > the only drawback i can see is that the fix bumps the database schema > version, so it requires an update of the database after applying the fix ? Yes, that's why I think it's better to backport the full version instead of applying the patch alone as this could bring issues later.