Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update request: matrix-synapse 1.92.3 (security) #256862

Closed
1 task done
pacien opened this issue Sep 23, 2023 · 2 comments
Closed
1 task done

Update request: matrix-synapse 1.92.3 (security) #256862

pacien opened this issue Sep 23, 2023 · 2 comments
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one

Comments

@pacien
Copy link
Contributor

pacien commented Sep 23, 2023

This week we released Synapse 1.92.3 in response to CVE-2023-4863,
a critical vulnerability in libwebp.
Server administrators are encouraged to upgrade as soon as possible.

I'm not sure whether our libwebp used by Pillow is patched in another way.

  • Package name: matrix-synapse

  • Latest released version: 1.92.3

  • Current version on the unstable channel: 1.92.1

  • Current version on the stable/release channel: 1.92.1

  • Checked the nixpkgs pull requests

Notify maintainers

@Ma27
@fadenb
@mguentner
@Ralith
@dandellion
@sumnerevans
@NickCao

Note for maintainers: Please tag this issue in your PR.
@pacien pacien added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Sep 23, 2023
@pacien pacien changed the title Update requeste: matrix-synapse 1.92.3 (security) Update request: matrix-synapse 1.92.3 (security) Sep 23, 2023
@pacien
Copy link
Contributor Author

pacien commented Sep 23, 2023

Related to: #254798

@Ma27
Copy link
Member

Ma27 commented Sep 23, 2023

This only updates the version constraint in pyproject.toml / poetry[1]. We however use pillow provided by our python package-set. In other words, the changes in 1.92.3 are not relevant for us which is why I didn't do the upgrade (and I guess the same applies to the other maintainers).

In fact we aren't even impacted by pillow 10.0.0 being vulnerable because we use the distribution's libwebp rather than the one bundled with pillow: #255858 (comment)

Closing since I don't think there's anything actionable (or even security-relevant) here. (On a personal note I think that this is primarily an example of why it's good to not use vendored dependencies)

[1] matrix-org/synapse@v1.92.2...v1.92.3

@Ma27 Ma27 closed this as completed Sep 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pacien @Ma27