matrix-synapse-1.93.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13270 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z matrix-synapse-1.93.0-1.1 on GA media These are all security issues fixed in the matrix-synapse-1.93.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13270 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13270 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-41335/ SUSE CVE CVE-2023-41335 page https://www.suse.com/security/cve/CVE-2023-42453/ SUSE CVE CVE-2023-42453 page https://www.suse.com/security/cve/CVE-2023-4863/ SUSE CVE CVE-2023-4863 page openSUSE Tumbleweed matrix-synapse-1.93.0-1.1 matrix-synapse-1.93.0-1.1 as a component of openSUSE Tumbleweed Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration. These temporarily stored passwords are automatically erased after a 48-hour window. This issue has been addressed in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue. CVE-2023-41335 openSUSE Tumbleweed:matrix-synapse-1.93.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-41335.html CVE-2023-41335 https://bugzilla.suse.com/1215757 SUSE Bug 1215757 Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This could be confusing as clients will show the event as read by the user, even if they are not in the room. This issue has been patched in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue. CVE-2023-42453 openSUSE Tumbleweed:matrix-synapse-1.93.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-42453.html CVE-2023-42453 https://bugzilla.suse.com/1215757 SUSE Bug 1215757 Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical) CVE-2023-4863 openSUSE Tumbleweed:matrix-synapse-1.93.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-4863.html CVE-2023-4863 https://bugzilla.suse.com/1215231 SUSE Bug 1215231 https://bugzilla.suse.com/1217115 SUSE Bug 1217115 https://bugzilla.suse.com/1217117 SUSE Bug 1217117