Adsons

    ArchLinux: 201901-12: matrix-synapse: private key recovery

    Date27 Jan 2019
    CategoryArchLinux
    555
    Posted ByAnthony Pell
    The package matrix-synapse before version 0.34.1.1-1 is vulnerable to private key recovery.
    Arch Linux Security Advisory ASA-201901-12
    ==========================================
    
    Severity: High
    Date    : 2019-01-24
    CVE-ID  : CVE-2019-5885
    Package : matrix-synapse
    Type    : private key recovery
    Remote  : No
    Link    : https://security.archlinux.org/AVG-846
    
    Summary
    =======
    
    The package matrix-synapse before version 0.34.1.1-1 is vulnerable to
    private key recovery.
    
    Resolution
    ==========
    
    Upgrade to 0.34.1.1-1.
    
    # pacman -Syu "matrix-synapse>=0.34.1.1-1"
    
    The problem has been fixed upstream in version 0.34.1.1.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    matrix-synapse before 0.34.1 is vulnerable to private key recovery as
    synapse will attempt to derive a secret key from other secrets
    specified in the configuration file for "macaroon_secret_key". However,
    in all versions of Synapse up to and including 0.34.0, this process was
    faulty and a predictable value was used instead.
    
    Impact
    ======
    
    If no private key is specified a predictable key is used allowing
    private key recover.
    
    References
    ==========
    
    https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
    https://security.archlinux.org/CVE-2019-5885
    

    Comments powered by CComment

    Sidebar Ad

    LinuxSecurity Poll

    What type of mobile phone do you have?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote
    4
    radio
    [{"id":"16","title":"iPhone","votes":"8","type":"x","order":"1","pct":24.24,"resources":[]},{"id":"17","title":"Android","votes":"22","type":"x","order":"2","pct":66.67,"resources":[]},{"id":"18","title":"Other","votes":"3","type":"x","order":"3","pct":9.09,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories