matrix-synapse-1.120.2-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14541-1 Final 1 1 2024-12-04T00:00:00Z current 2024-12-04T00:00:00Z 2024-12-04T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z matrix-synapse-1.120.2-1.1 on GA media These are all security issues fixed in the matrix-synapse-1.120.2-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14541 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-37302/ SUSE CVE CVE-2024-37302 page https://www.suse.com/security/cve/CVE-2024-37303/ SUSE CVE CVE-2024-37303 page https://www.suse.com/security/cve/CVE-2024-52805/ SUSE CVE CVE-2024-52805 page https://www.suse.com/security/cve/CVE-2024-52815/ SUSE CVE CVE-2024-52815 page https://www.suse.com/security/cve/CVE-2024-53863/ SUSE CVE CVE-2024-53863 page https://www.suse.com/security/cve/CVE-2024-53867/ SUSE CVE CVE-2024-53867 page openSUSE Tumbleweed matrix-synapse-1.120.2-1.1 matrix-synapse-1.120.2-1.1 as a component of openSUSE Tumbleweed Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached. CVE-2024-37302 openSUSE Tumbleweed:matrix-synapse-1.120.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-37302.html CVE-2024-37302 https://bugzilla.suse.com/1234110 SUSE Bug 1234110 Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector. CVE-2024-37303 openSUSE Tumbleweed:matrix-synapse-1.120.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-37303.html CVE-2024-37303 https://bugzilla.suse.com/1234110 SUSE Bug 1234110 Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type. CVE-2024-52805 openSUSE Tumbleweed:matrix-synapse-1.120.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-52805.html CVE-2024-52805 https://bugzilla.suse.com/1234110 SUSE Bug 1234110 Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users. CVE-2024-52815 openSUSE Tumbleweed:matrix-synapse-1.120.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-52815.html CVE-2024-52815 https://bugzilla.suse.com/1234110 SUSE Bug 1234110 Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1. CVE-2024-53863 openSUSE Tumbleweed:matrix-synapse-1.120.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-53863.html CVE-2024-53863 https://bugzilla.suse.com/1234110 SUSE Bug 1234110 Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1. CVE-2024-53867 openSUSE Tumbleweed:matrix-synapse-1.120.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-53867.html CVE-2024-53867 https://bugzilla.suse.com/1234110 SUSE Bug 1234110