Detections
Analytics

Fedora 30 : matrix-synapse (2019-80f1943143)

high Nessus Plugin ID 127518

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

This release includes four security fixes :

 - Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms.

 - Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely.

 - Prevent an attack where users could be joined or parted from public rooms without their consent.

 - Fix a vulnerability where a federated server could spoof read-receipts from users on other servers.

See https://github.com/matrix-org/synapse/releases/tag/v1.2.1 for complete details.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected matrix-synapse package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2019-80f1943143

https://github.com/matrix-org/synapse/releases/tag/v1.2.1

Plugin Details

Severity: High

ID: 127518

File Name: fedora_2019-80f1943143.nasl

Version: 1.2

Type: local

Agent: unix

Published: 8/12/2019

Updated: 9/23/2019

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:30, p-cpe:/a:fedoraproject:fedora:matrix-synapse

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 8/4/2019

Vulnerability Publication Date: 8/4/2019

Reference Information