From: Renaud Allard <renaud@allard.it>
Subject: [security] net/synapse 1.139.1
To: ports <ports@openbsd.org>
Date: Tue, 7 Oct 2025 15:44:51 +0200

Hello,

Here is a diff for net/synapse to 1.139.1
Tested on amd64

This solves CVE-2025-61672
Lack of validation for device keys in Synapse before 1.139.1 allows an 
attacker registered on the victim homeserver to degrade federation 
functionality, unpredictably breaking outbound federation to other 
homeservers.

Best Regards
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/synapse/Makefile,v
diff -u -p -r1.110 Makefile
--- Makefile	18 Sep 2025 15:19:38 -0000	1.110
+++ Makefile	7 Oct 2025 13:42:07 -0000
@@ -1,7 +1,6 @@
 COMMENT =	open network for secure, decentralized communication
 
-MODPY_DISTV =	1.138.0
-REVISION =	2
+MODPY_DISTV =	1.139.1
 
 GH_ACCOUNT =	element-hq
 GH_PROJECT =	synapse
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/synapse/distinfo,v
diff -u -p -r1.83 distinfo
--- distinfo	10 Sep 2025 07:35:08 -0000	1.83
+++ distinfo	7 Oct 2025 13:42:07 -0000
@@ -76,7 +76,7 @@ SHA256 (cargo/lazy_static-1.5.0.tar.gz) 
 SHA256 (cargo/libc-0.2.174.tar.gz) = EXFpMpMJmZLhnN3qTouEmWTphG9KzuEbOUi8wze+h3Y=
 SHA256 (cargo/libm-0.2.15.tar.gz) = +fu8q1EFL+EE615dNRz3KNMKW+H+FNm+ijsJdIH7l94=
 SHA256 (cargo/litemap-0.8.0.tar.gz) = JB6u9f0SyIcFoB/BBmxIxLNuDdQ3fc3H7DlCzqemmVY=
-SHA256 (cargo/log-0.4.27.tar.gz) = E9wt81HjICeDof4NRDdfcpX/tASSZ7DzAYNG3BIqHZQ=
+SHA256 (cargo/log-0.4.28.tar.gz) = NAgFBe+o5FpLgWw0lSXr4yfOqoVZdW8DVsupfvO/dDI=
 SHA256 (cargo/lru-slab-0.1.2.tar.gz) = ESs5zsCymLbBmZ/uPjFCf3T2duTLmHntGhIbQ2YaQVQ=
 SHA256 (cargo/memchr-2.7.5.tar.gz) = MqKC2mX6rzgobPO+mDIT/PHS4qWHAOgI+D9OqaSAS8A=
 SHA256 (cargo/memoffset-0.9.1.tar.gz) = SIAWv65FewNtmWCS9stEhndhHOREnpcM6vQmlSA/IYo=
@@ -124,9 +124,10 @@ SHA256 (cargo/ryu-1.0.20.tar.gz) = KNOys
 SHA256 (cargo/schannel-0.1.27.tar.gz) = HynrqjRflFzsn7vFMuswfw/a2BYfKBtjaVOcjYSHaz0=
 SHA256 (cargo/security-framework-3.2.0.tar.gz) = JxcgQD9GygT3um9V1Dj4vYeNa4ygoQRugijEFFvLsxY=
 SHA256 (cargo/security-framework-sys-2.14.0.tar.gz) = SdsjHVahkEkctK7alSfxrUU0WvULCFFiKnrbjAOwHDI=
-SHA256 (cargo/serde-1.0.219.tar.gz) = Xw4sbtZgYBm04p5p26upWxGFRBDlNH1SUAJFbbu3hrY=
-SHA256 (cargo/serde_derive-1.0.219.tar.gz) = WwJ2z38sczZfcVfIEjwhzZpQ+72ER1evKMofWSX8KgA=
-SHA256 (cargo/serde_json-1.0.143.tar.gz) = 1AGr7x0Qj72cuuvD5GYR9LECH3FKBZenH0HuRj9fSlo=
+SHA256 (cargo/serde-1.0.224.tar.gz) = aq6x6U9TsWOEr1k8ceILCV6VjasdJpOcG3BkXFz7zAs=
+SHA256 (cargo/serde_core-1.0.224.tar.gz) = MvOTkPpjRuJN77zdPZVEuooZmF0K9034UB+/6aZDQas=
+SHA256 (cargo/serde_derive-1.0.224.tar.gz) = h/94q16FYcmmdb/BeFyweuch8O5TMppZXO/YwEwqxOA=
+SHA256 (cargo/serde_json-1.0.145.tar.gz) = QCpvZtjHCRFs8i9VjqshD1pQGH9wLrTX5e842afxx5w=
 SHA256 (cargo/serde_urlencoded-0.7.1.tar.gz) = 00kcFHFcoilMTWqI8V6Ec5eIwdAw7tjBEENqr9qi8/0=
 SHA256 (cargo/sha1-0.10.6.tar.gz) = 47+Cmi1Rq0pd3xNS2EcMFAytyDAbKuF4nbAj8Bzt1ro=
 SHA256 (cargo/sha2-0.10.9.tar.gz) = p1B9gZdp0Bo2WrcHeUpAhDksgk9Up6anhi+MPQiSsoM=
@@ -199,7 +200,7 @@ SHA256 (cargo/zeroize-1.8.1.tar.gz) = zt
 SHA256 (cargo/zerotrie-0.2.2.tar.gz) = NvC71HhYP3ntrZeLQHkU9hspcvWvb6CJaGAWvo+a9ZU=
 SHA256 (cargo/zerovec-0.11.2.tar.gz) = SgXrCA4BW6OcyeI7vl5/sE1fsEA1D5nzTjONX90pRCg=
 SHA256 (cargo/zerovec-derive-0.11.1.tar.gz) = W5YjfvoMh4xkvYnENvZhvk5GsvPv8eu5dvfvIyHS9Y8=
-SHA256 (synapse-1.138.0.tar.gz) = HvSgLweNcUWzxPoGsvBCzZtSiKSmY7LQlbRYYPOShX8=
+SHA256 (synapse-1.139.1.tar.gz) = q/k6/JKTTVjzuUhwKqqtw5irtwVqYmz3ji1XqmvPbeg=
 SIZE (cargo/addr2line-0.24.2.tar.gz) = 39015
 SIZE (cargo/adler2-2.0.1.tar.gz) = 13366
 SIZE (cargo/aho-corasick-1.1.3.tar.gz) = 183311
@@ -278,7 +279,7 @@ SIZE (cargo/lazy_static-1.5.0.tar.gz) = 
 SIZE (cargo/libc-0.2.174.tar.gz) = 779933
 SIZE (cargo/libm-0.2.15.tar.gz) = 156108
 SIZE (cargo/litemap-0.8.0.tar.gz) = 34344
-SIZE (cargo/log-0.4.27.tar.gz) = 48120
+SIZE (cargo/log-0.4.28.tar.gz) = 51131
 SIZE (cargo/lru-slab-0.1.2.tar.gz) = 9090
 SIZE (cargo/memchr-2.7.5.tar.gz) = 97603
 SIZE (cargo/memoffset-0.9.1.tar.gz) = 9032
@@ -326,9 +327,10 @@ SIZE (cargo/ryu-1.0.20.tar.gz) = 48738
 SIZE (cargo/schannel-0.1.27.tar.gz) = 42772
 SIZE (cargo/security-framework-3.2.0.tar.gz) = 86095
 SIZE (cargo/security-framework-sys-2.14.0.tar.gz) = 20537
-SIZE (cargo/serde-1.0.219.tar.gz) = 78983
-SIZE (cargo/serde_derive-1.0.219.tar.gz) = 57798
-SIZE (cargo/serde_json-1.0.143.tar.gz) = 155342
+SIZE (cargo/serde-1.0.224.tar.gz) = 28268
+SIZE (cargo/serde_core-1.0.224.tar.gz) = 62766
+SIZE (cargo/serde_derive-1.0.224.tar.gz) = 57909
+SIZE (cargo/serde_json-1.0.145.tar.gz) = 155748
 SIZE (cargo/serde_urlencoded-0.7.1.tar.gz) = 12822
 SIZE (cargo/sha1-0.10.6.tar.gz) = 13517
 SIZE (cargo/sha2-0.10.9.tar.gz) = 29271
@@ -401,4 +403,4 @@ SIZE (cargo/zeroize-1.8.1.tar.gz) = 2002
 SIZE (cargo/zerotrie-0.2.2.tar.gz) = 74423
 SIZE (cargo/zerovec-0.11.2.tar.gz) = 124500
 SIZE (cargo/zerovec-derive-0.11.1.tar.gz) = 21294
-SIZE (synapse-1.138.0.tar.gz) = 9114217
+SIZE (synapse-1.139.1.tar.gz) = 9141608
Index: modules.inc
===================================================================
RCS file: /cvs/ports/net/synapse/modules.inc,v
diff -u -p -r1.46 modules.inc
--- modules.inc	10 Sep 2025 07:35:08 -0000	1.46
+++ modules.inc	7 Oct 2025 13:42:07 -0000
@@ -76,7 +76,7 @@ MODCARGO_CRATES +=	lazy_static	1.5.0	# M
 MODCARGO_CRATES +=	libc	0.2.174	# MIT OR Apache-2.0
 MODCARGO_CRATES +=	libm	0.2.15	# MIT
 MODCARGO_CRATES +=	litemap	0.8.0	# Unicode-3.0
-MODCARGO_CRATES +=	log	0.4.27	# MIT OR Apache-2.0
+MODCARGO_CRATES +=	log	0.4.28	# MIT OR Apache-2.0
 MODCARGO_CRATES +=	lru-slab	0.1.2	# MIT OR Apache-2.0 OR Zlib
 MODCARGO_CRATES +=	memchr	2.7.5	# Unlicense OR MIT
 MODCARGO_CRATES +=	memoffset	0.9.1	# MIT
@@ -124,9 +124,10 @@ MODCARGO_CRATES +=	ryu	1.0.20	# Apache-2
 MODCARGO_CRATES +=	schannel	0.1.27	# MIT
 MODCARGO_CRATES +=	security-framework	3.2.0	# MIT OR Apache-2.0
 MODCARGO_CRATES +=	security-framework-sys	2.14.0	# MIT OR Apache-2.0
-MODCARGO_CRATES +=	serde	1.0.219	# MIT OR Apache-2.0
-MODCARGO_CRATES +=	serde_derive	1.0.219	# MIT OR Apache-2.0
-MODCARGO_CRATES +=	serde_json	1.0.143	# MIT OR Apache-2.0
+MODCARGO_CRATES +=	serde	1.0.224	# MIT OR Apache-2.0
+MODCARGO_CRATES +=	serde_core	1.0.224	# MIT OR Apache-2.0
+MODCARGO_CRATES +=	serde_derive	1.0.224	# MIT OR Apache-2.0
+MODCARGO_CRATES +=	serde_json	1.0.145	# MIT OR Apache-2.0
 MODCARGO_CRATES +=	serde_urlencoded	0.7.1	# MIT/Apache-2.0
 MODCARGO_CRATES +=	sha1	0.10.6	# MIT OR Apache-2.0
 MODCARGO_CRATES +=	sha2	0.10.9	# MIT OR Apache-2.0
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/net/synapse/pkg/PLIST,v
diff -u -p -r1.70 PLIST
--- pkg/PLIST	18 Sep 2025 15:19:38 -0000	1.70
+++ pkg/PLIST	7 Oct 2025 13:42:07 -0000
@@ -14,14 +14,13 @@ bin/synapse_worker
 bin/synctl
 bin/update_synapse_database
 lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/
+lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/AUTHORS.rst
+lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/LICENSE-AGPL-3.0
+lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/LICENSE-COMMERCIAL
 lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/METADATA
 lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/RECORD
 lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/WHEEL
 lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/entry_points.txt
-lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/
-lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/AUTHORS.rst
-lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/LICENSE-AGPL-3.0
-lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/LICENSE-COMMERCIAL
 lib/python${MODPY_VERSION}/site-packages/synapse/
 lib/python${MODPY_VERSION}/site-packages/synapse/__init__.py
 ${MODPY_COMMENT}lib/python${MODPY_VERSION}/site-packages/synapse/${MODPY_PYCACHE}/
@@ -2200,6 +2199,7 @@ lib/python${MODPY_VERSION}/site-packages
 lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/07_add_user_reports.sql
 lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/07_event_txn_id_device_id_txn_id2.sql
 lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/08_room_ban_redactions.sql
+lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/08_thread_subscriptions_seq_fixup.sql.postgres
 lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/09_thread_subscriptions_update.sql
 lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/09_thread_subscriptions_update.sql.postgres
 lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/full_schemas/
@@ -2318,6 +2318,8 @@ lib/python${MODPY_VERSION}/site-packages
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}cancellation.${MODPY_PYC_MAGIC_TAG}pyc
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}check_dependencies.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}check_dependencies.${MODPY_PYC_MAGIC_TAG}pyc
+lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}clock.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
+lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}clock.${MODPY_PYC_MAGIC_TAG}pyc
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}constants.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}constants.${MODPY_PYC_MAGIC_TAG}pyc
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}daemonize.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
@@ -2338,6 +2340,8 @@ lib/python${MODPY_VERSION}/site-packages
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}httpresourcetree.${MODPY_PYC_MAGIC_TAG}pyc
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}iterutils.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}iterutils.${MODPY_PYC_MAGIC_TAG}pyc
+lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}json.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
+lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}json.${MODPY_PYC_MAGIC_TAG}pyc
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}linked_list.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}linked_list.${MODPY_PYC_MAGIC_TAG}pyc
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}logcontext.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
@@ -2366,6 +2370,8 @@ lib/python${MODPY_VERSION}/site-packages
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}rlimit.${MODPY_PYC_MAGIC_TAG}pyc
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}rust.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}rust.${MODPY_PYC_MAGIC_TAG}pyc
+lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}sentinel.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
+lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}sentinel.${MODPY_PYC_MAGIC_TAG}pyc
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}stringutils.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}stringutils.${MODPY_PYC_MAGIC_TAG}pyc
 lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}task_scheduler.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
@@ -2415,6 +2421,7 @@ lib/python${MODPY_VERSION}/site-packages
 lib/python${MODPY_VERSION}/site-packages/synapse/util/caches/ttlcache.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/cancellation.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/check_dependencies.py
+lib/python${MODPY_VERSION}/site-packages/synapse/util/clock.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/constants.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/daemonize.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/distributor.py
@@ -2425,6 +2432,7 @@ lib/python${MODPY_VERSION}/site-packages
 lib/python${MODPY_VERSION}/site-packages/synapse/util/hash.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/httpresourcetree.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/iterutils.py
+lib/python${MODPY_VERSION}/site-packages/synapse/util/json.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/linked_list.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/logcontext.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/logformatter.py
@@ -2439,6 +2447,7 @@ lib/python${MODPY_VERSION}/site-packages
 lib/python${MODPY_VERSION}/site-packages/synapse/util/retryutils.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/rlimit.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/rust.py
+lib/python${MODPY_VERSION}/site-packages/synapse/util/sentinel.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/stringutils.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/task_scheduler.py
 lib/python${MODPY_VERSION}/site-packages/synapse/util/templates.py