Please also feel free to using our GPG key (found on our About page) or email us at This email address is being protected from spambots. You need JavaScript enabled to view it.
Welcome to the new and improved LinuxSecurity.com
LinuxSecurity has been trusted by the open-source community for over 20 years to provide the latest Linux-related news, advisories, feature articles and other content relevant to the Linux user. Our administrative team wants to provide you with the best possible experience when you visit our new website, and has been carefully testing the site for the past several months to identify and fix any problems. If by chance we have overlooked a minor issue, please do not hesitate to contact us and let us know. The review process is a critical aspect of open-source development. As passionate members of the open-source community, we truly appreciate your help!
The package matrix-synapse before version 0.34.1.1-1 is vulnerable to private key recovery.
Arch Linux Security Advisory ASA-201901-12
==========================================
Severity: High
Date : 2019-01-24
CVE-ID : CVE-2019-5885
Package : matrix-synapse
Type : private key recovery
Remote : No
Link : https://security.archlinux.org/AVG-846
Summary
=======
The package matrix-synapse before version 0.34.1.1-1 is vulnerable to
private key recovery.
Resolution
==========
Upgrade to 0.34.1.1-1.
# pacman -Syu "matrix-synapse>=0.34.1.1-1"
The problem has been fixed upstream in version 0.34.1.1.
Workaround
==========
None.
Description
===========
matrix-synapse before 0.34.1 is vulnerable to private key recovery as
synapse will attempt to derive a secret key from other secrets
specified in the configuration file for "macaroon_secret_key". However,
in all versions of Synapse up to and including 0.34.0, this process was
faulty and a predictable value was used instead.
Impact
======
If no private key is specified a predictable key is used allowing
private key recover.
References
==========
https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
https://security.archlinux.org/CVE-2019-5885
Comments powered by CComment