ArchLinux: 201901-12: matrix-synapse: private key recovery

    Date27 Jan 2019
    CategoryArchLinux
    812
    Posted ByAnthony Pell
    The package matrix-synapse before version 0.34.1.1-1 is vulnerable to private key recovery.
    Arch Linux Security Advisory ASA-201901-12
    ==========================================
    
    Severity: High
    Date    : 2019-01-24
    CVE-ID  : CVE-2019-5885
    Package : matrix-synapse
    Type    : private key recovery
    Remote  : No
    Link    : https://security.archlinux.org/AVG-846
    
    Summary
    =======
    
    The package matrix-synapse before version 0.34.1.1-1 is vulnerable to
    private key recovery.
    
    Resolution
    ==========
    
    Upgrade to 0.34.1.1-1.
    
    # pacman -Syu "matrix-synapse>=0.34.1.1-1"
    
    The problem has been fixed upstream in version 0.34.1.1.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    matrix-synapse before 0.34.1 is vulnerable to private key recovery as
    synapse will attempt to derive a secret key from other secrets
    specified in the configuration file for "macaroon_secret_key". However,
    in all versions of Synapse up to and including 0.34.0, this process was
    faulty and a predictable value was used instead.
    
    Impact
    ======
    
    If no private key is specified a predictable key is used allowing
    private key recover.
    
    References
    ==========
    
    https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
    https://security.archlinux.org/CVE-2019-5885
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"6","type":"x","order":"1","pct":54.55,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":27.27,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":18.18,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.