Several security issues were fixed in Synapse.
Software Description:
- matrix-synapse: Synapse: Matrix homeserver written in Python/Twisted.
Details:
It was discovered that Synapse network policies could be bypassed via
specially crafted URLs. An attacker could possibly use this issue to
bypass authentication mechanisms. (CVE-2023-32683)
It was discovered that Synapse exposed cached device information. An
attacker could possibly use this issue to gain access to sensitive
information. (CVE-2023-43796)
It was discovered that Synapse could be tricked into rejecting state
changes in rooms. An attacker could possibly use this issue to cause
Synapse to stop functioning properly, resulting in a denial of service.
This issue was only fixed in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-39374)
It was discovered that Synapse stored user credentials in a server's
database temporarily. An attacker could possibly use this issue to
gain access to sensitive info...
The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS matrix-synapse 1.53.0-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 20.04 LTS matrix-synapse 1.11.0-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 18.04 LTS matrix-synapse 0.24.0+dfsg-1ubuntu0.1~esm4 Available with Ubuntu Pro After a standard system update you need to restart Synapse to make all the necessary changes.
https://ubuntu.com/security/notices/USN-7444-1
CVE-2022-39335, CVE-2022-39374, CVE-2023-32683, CVE-2023-41335,
CVE-2023-42453, CVE-2023-43796, CVE-2024-31208, CVE-2024-53863
Get the latest Linux and open source security news straight to your inbox.