From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: [security] net/synapse 1.139.1
To: Renaud Allard <renaud@allard.it>
Cc: ports <ports@openbsd.org>
Date: Tue, 7 Oct 2025 15:50:29 +0100

ok for post-unlock

On 2025/10/07 15:44, Renaud Allard wrote:
> Hello,
> 
> Here is a diff for net/synapse to 1.139.1
> Tested on amd64
> 
> This solves CVE-2025-61672
> Lack of validation for device keys in Synapse before 1.139.1 allows an
> attacker registered on the victim homeserver to degrade federation
> functionality, unpredictably breaking outbound federation to other
> homeservers.
> 
> Best Regards

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/synapse/Makefile,v
> diff -u -p -r1.110 Makefile
> --- Makefile	18 Sep 2025 15:19:38 -0000	1.110
> +++ Makefile	7 Oct 2025 13:42:07 -0000
> @@ -1,7 +1,6 @@
>  COMMENT =	open network for secure, decentralized communication
>  
> -MODPY_DISTV =	1.138.0
> -REVISION =	2
> +MODPY_DISTV =	1.139.1
>  
>  GH_ACCOUNT =	element-hq
>  GH_PROJECT =	synapse
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/net/synapse/distinfo,v
> diff -u -p -r1.83 distinfo
> --- distinfo	10 Sep 2025 07:35:08 -0000	1.83
> +++ distinfo	7 Oct 2025 13:42:07 -0000
> @@ -76,7 +76,7 @@ SHA256 (cargo/lazy_static-1.5.0.tar.gz) 
>  SHA256 (cargo/libc-0.2.174.tar.gz) = EXFpMpMJmZLhnN3qTouEmWTphG9KzuEbOUi8wze+h3Y=
>  SHA256 (cargo/libm-0.2.15.tar.gz) = +fu8q1EFL+EE615dNRz3KNMKW+H+FNm+ijsJdIH7l94=
>  SHA256 (cargo/litemap-0.8.0.tar.gz) = JB6u9f0SyIcFoB/BBmxIxLNuDdQ3fc3H7DlCzqemmVY=
> -SHA256 (cargo/log-0.4.27.tar.gz) = E9wt81HjICeDof4NRDdfcpX/tASSZ7DzAYNG3BIqHZQ=
> +SHA256 (cargo/log-0.4.28.tar.gz) = NAgFBe+o5FpLgWw0lSXr4yfOqoVZdW8DVsupfvO/dDI=
>  SHA256 (cargo/lru-slab-0.1.2.tar.gz) = ESs5zsCymLbBmZ/uPjFCf3T2duTLmHntGhIbQ2YaQVQ=
>  SHA256 (cargo/memchr-2.7.5.tar.gz) = MqKC2mX6rzgobPO+mDIT/PHS4qWHAOgI+D9OqaSAS8A=
>  SHA256 (cargo/memoffset-0.9.1.tar.gz) = SIAWv65FewNtmWCS9stEhndhHOREnpcM6vQmlSA/IYo=
> @@ -124,9 +124,10 @@ SHA256 (cargo/ryu-1.0.20.tar.gz) = KNOys
>  SHA256 (cargo/schannel-0.1.27.tar.gz) = HynrqjRflFzsn7vFMuswfw/a2BYfKBtjaVOcjYSHaz0=
>  SHA256 (cargo/security-framework-3.2.0.tar.gz) = JxcgQD9GygT3um9V1Dj4vYeNa4ygoQRugijEFFvLsxY=
>  SHA256 (cargo/security-framework-sys-2.14.0.tar.gz) = SdsjHVahkEkctK7alSfxrUU0WvULCFFiKnrbjAOwHDI=
> -SHA256 (cargo/serde-1.0.219.tar.gz) = Xw4sbtZgYBm04p5p26upWxGFRBDlNH1SUAJFbbu3hrY=
> -SHA256 (cargo/serde_derive-1.0.219.tar.gz) = WwJ2z38sczZfcVfIEjwhzZpQ+72ER1evKMofWSX8KgA=
> -SHA256 (cargo/serde_json-1.0.143.tar.gz) = 1AGr7x0Qj72cuuvD5GYR9LECH3FKBZenH0HuRj9fSlo=
> +SHA256 (cargo/serde-1.0.224.tar.gz) = aq6x6U9TsWOEr1k8ceILCV6VjasdJpOcG3BkXFz7zAs=
> +SHA256 (cargo/serde_core-1.0.224.tar.gz) = MvOTkPpjRuJN77zdPZVEuooZmF0K9034UB+/6aZDQas=
> +SHA256 (cargo/serde_derive-1.0.224.tar.gz) = h/94q16FYcmmdb/BeFyweuch8O5TMppZXO/YwEwqxOA=
> +SHA256 (cargo/serde_json-1.0.145.tar.gz) = QCpvZtjHCRFs8i9VjqshD1pQGH9wLrTX5e842afxx5w=
>  SHA256 (cargo/serde_urlencoded-0.7.1.tar.gz) = 00kcFHFcoilMTWqI8V6Ec5eIwdAw7tjBEENqr9qi8/0=
>  SHA256 (cargo/sha1-0.10.6.tar.gz) = 47+Cmi1Rq0pd3xNS2EcMFAytyDAbKuF4nbAj8Bzt1ro=
>  SHA256 (cargo/sha2-0.10.9.tar.gz) = p1B9gZdp0Bo2WrcHeUpAhDksgk9Up6anhi+MPQiSsoM=
> @@ -199,7 +200,7 @@ SHA256 (cargo/zeroize-1.8.1.tar.gz) = zt
>  SHA256 (cargo/zerotrie-0.2.2.tar.gz) = NvC71HhYP3ntrZeLQHkU9hspcvWvb6CJaGAWvo+a9ZU=
>  SHA256 (cargo/zerovec-0.11.2.tar.gz) = SgXrCA4BW6OcyeI7vl5/sE1fsEA1D5nzTjONX90pRCg=
>  SHA256 (cargo/zerovec-derive-0.11.1.tar.gz) = W5YjfvoMh4xkvYnENvZhvk5GsvPv8eu5dvfvIyHS9Y8=
> -SHA256 (synapse-1.138.0.tar.gz) = HvSgLweNcUWzxPoGsvBCzZtSiKSmY7LQlbRYYPOShX8=
> +SHA256 (synapse-1.139.1.tar.gz) = q/k6/JKTTVjzuUhwKqqtw5irtwVqYmz3ji1XqmvPbeg=
>  SIZE (cargo/addr2line-0.24.2.tar.gz) = 39015
>  SIZE (cargo/adler2-2.0.1.tar.gz) = 13366
>  SIZE (cargo/aho-corasick-1.1.3.tar.gz) = 183311
> @@ -278,7 +279,7 @@ SIZE (cargo/lazy_static-1.5.0.tar.gz) = 
>  SIZE (cargo/libc-0.2.174.tar.gz) = 779933
>  SIZE (cargo/libm-0.2.15.tar.gz) = 156108
>  SIZE (cargo/litemap-0.8.0.tar.gz) = 34344
> -SIZE (cargo/log-0.4.27.tar.gz) = 48120
> +SIZE (cargo/log-0.4.28.tar.gz) = 51131
>  SIZE (cargo/lru-slab-0.1.2.tar.gz) = 9090
>  SIZE (cargo/memchr-2.7.5.tar.gz) = 97603
>  SIZE (cargo/memoffset-0.9.1.tar.gz) = 9032
> @@ -326,9 +327,10 @@ SIZE (cargo/ryu-1.0.20.tar.gz) = 48738
>  SIZE (cargo/schannel-0.1.27.tar.gz) = 42772
>  SIZE (cargo/security-framework-3.2.0.tar.gz) = 86095
>  SIZE (cargo/security-framework-sys-2.14.0.tar.gz) = 20537
> -SIZE (cargo/serde-1.0.219.tar.gz) = 78983
> -SIZE (cargo/serde_derive-1.0.219.tar.gz) = 57798
> -SIZE (cargo/serde_json-1.0.143.tar.gz) = 155342
> +SIZE (cargo/serde-1.0.224.tar.gz) = 28268
> +SIZE (cargo/serde_core-1.0.224.tar.gz) = 62766
> +SIZE (cargo/serde_derive-1.0.224.tar.gz) = 57909
> +SIZE (cargo/serde_json-1.0.145.tar.gz) = 155748
>  SIZE (cargo/serde_urlencoded-0.7.1.tar.gz) = 12822
>  SIZE (cargo/sha1-0.10.6.tar.gz) = 13517
>  SIZE (cargo/sha2-0.10.9.tar.gz) = 29271
> @@ -401,4 +403,4 @@ SIZE (cargo/zeroize-1.8.1.tar.gz) = 2002
>  SIZE (cargo/zerotrie-0.2.2.tar.gz) = 74423
>  SIZE (cargo/zerovec-0.11.2.tar.gz) = 124500
>  SIZE (cargo/zerovec-derive-0.11.1.tar.gz) = 21294
> -SIZE (synapse-1.138.0.tar.gz) = 9114217
> +SIZE (synapse-1.139.1.tar.gz) = 9141608
> Index: modules.inc
> ===================================================================
> RCS file: /cvs/ports/net/synapse/modules.inc,v
> diff -u -p -r1.46 modules.inc
> --- modules.inc	10 Sep 2025 07:35:08 -0000	1.46
> +++ modules.inc	7 Oct 2025 13:42:07 -0000
> @@ -76,7 +76,7 @@ MODCARGO_CRATES +=	lazy_static	1.5.0	# M
>  MODCARGO_CRATES +=	libc	0.2.174	# MIT OR Apache-2.0
>  MODCARGO_CRATES +=	libm	0.2.15	# MIT
>  MODCARGO_CRATES +=	litemap	0.8.0	# Unicode-3.0
> -MODCARGO_CRATES +=	log	0.4.27	# MIT OR Apache-2.0
> +MODCARGO_CRATES +=	log	0.4.28	# MIT OR Apache-2.0
>  MODCARGO_CRATES +=	lru-slab	0.1.2	# MIT OR Apache-2.0 OR Zlib
>  MODCARGO_CRATES +=	memchr	2.7.5	# Unlicense OR MIT
>  MODCARGO_CRATES +=	memoffset	0.9.1	# MIT
> @@ -124,9 +124,10 @@ MODCARGO_CRATES +=	ryu	1.0.20	# Apache-2
>  MODCARGO_CRATES +=	schannel	0.1.27	# MIT
>  MODCARGO_CRATES +=	security-framework	3.2.0	# MIT OR Apache-2.0
>  MODCARGO_CRATES +=	security-framework-sys	2.14.0	# MIT OR Apache-2.0
> -MODCARGO_CRATES +=	serde	1.0.219	# MIT OR Apache-2.0
> -MODCARGO_CRATES +=	serde_derive	1.0.219	# MIT OR Apache-2.0
> -MODCARGO_CRATES +=	serde_json	1.0.143	# MIT OR Apache-2.0
> +MODCARGO_CRATES +=	serde	1.0.224	# MIT OR Apache-2.0
> +MODCARGO_CRATES +=	serde_core	1.0.224	# MIT OR Apache-2.0
> +MODCARGO_CRATES +=	serde_derive	1.0.224	# MIT OR Apache-2.0
> +MODCARGO_CRATES +=	serde_json	1.0.145	# MIT OR Apache-2.0
>  MODCARGO_CRATES +=	serde_urlencoded	0.7.1	# MIT/Apache-2.0
>  MODCARGO_CRATES +=	sha1	0.10.6	# MIT OR Apache-2.0
>  MODCARGO_CRATES +=	sha2	0.10.9	# MIT OR Apache-2.0
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/net/synapse/pkg/PLIST,v
> diff -u -p -r1.70 PLIST
> --- pkg/PLIST	18 Sep 2025 15:19:38 -0000	1.70
> +++ pkg/PLIST	7 Oct 2025 13:42:07 -0000
> @@ -14,14 +14,13 @@ bin/synapse_worker
>  bin/synctl
>  bin/update_synapse_database
>  lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/
> +lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/AUTHORS.rst
> +lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/LICENSE-AGPL-3.0
> +lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/LICENSE-COMMERCIAL
>  lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/METADATA
>  lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/RECORD
>  lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/WHEEL
>  lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/entry_points.txt
> -lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/
> -lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/AUTHORS.rst
> -lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/LICENSE-AGPL-3.0
> -lib/python${MODPY_VERSION}/site-packages/matrix_synapse-${MODPY_DISTV}.dist-info/licenses/LICENSE-COMMERCIAL
>  lib/python${MODPY_VERSION}/site-packages/synapse/
>  lib/python${MODPY_VERSION}/site-packages/synapse/__init__.py
>  ${MODPY_COMMENT}lib/python${MODPY_VERSION}/site-packages/synapse/${MODPY_PYCACHE}/
> @@ -2200,6 +2199,7 @@ lib/python${MODPY_VERSION}/site-packages
>  lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/07_add_user_reports.sql
>  lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/07_event_txn_id_device_id_txn_id2.sql
>  lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/08_room_ban_redactions.sql
> +lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/08_thread_subscriptions_seq_fixup.sql.postgres
>  lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/09_thread_subscriptions_update.sql
>  lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/92/09_thread_subscriptions_update.sql.postgres
>  lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/full_schemas/
> @@ -2318,6 +2318,8 @@ lib/python${MODPY_VERSION}/site-packages
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}cancellation.${MODPY_PYC_MAGIC_TAG}pyc
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}check_dependencies.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}check_dependencies.${MODPY_PYC_MAGIC_TAG}pyc
> +lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}clock.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
> +lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}clock.${MODPY_PYC_MAGIC_TAG}pyc
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}constants.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}constants.${MODPY_PYC_MAGIC_TAG}pyc
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}daemonize.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
> @@ -2338,6 +2340,8 @@ lib/python${MODPY_VERSION}/site-packages
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}httpresourcetree.${MODPY_PYC_MAGIC_TAG}pyc
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}iterutils.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}iterutils.${MODPY_PYC_MAGIC_TAG}pyc
> +lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}json.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
> +lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}json.${MODPY_PYC_MAGIC_TAG}pyc
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}linked_list.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}linked_list.${MODPY_PYC_MAGIC_TAG}pyc
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}logcontext.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
> @@ -2366,6 +2370,8 @@ lib/python${MODPY_VERSION}/site-packages
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}rlimit.${MODPY_PYC_MAGIC_TAG}pyc
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}rust.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}rust.${MODPY_PYC_MAGIC_TAG}pyc
> +lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}sentinel.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
> +lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}sentinel.${MODPY_PYC_MAGIC_TAG}pyc
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}stringutils.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}stringutils.${MODPY_PYC_MAGIC_TAG}pyc
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/${MODPY_PYCACHE}task_scheduler.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
> @@ -2415,6 +2421,7 @@ lib/python${MODPY_VERSION}/site-packages
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/caches/ttlcache.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/cancellation.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/check_dependencies.py
> +lib/python${MODPY_VERSION}/site-packages/synapse/util/clock.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/constants.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/daemonize.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/distributor.py
> @@ -2425,6 +2432,7 @@ lib/python${MODPY_VERSION}/site-packages
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/hash.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/httpresourcetree.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/iterutils.py
> +lib/python${MODPY_VERSION}/site-packages/synapse/util/json.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/linked_list.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/logcontext.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/logformatter.py
> @@ -2439,6 +2447,7 @@ lib/python${MODPY_VERSION}/site-packages
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/retryutils.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/rlimit.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/rust.py
> +lib/python${MODPY_VERSION}/site-packages/synapse/util/sentinel.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/stringutils.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/task_scheduler.py
>  lib/python${MODPY_VERSION}/site-packages/synapse/util/templates.py