Ubuntu
matrix-synapse package

implementation is unusably old and contains significant security problems

Bug #1848709 reported by Richard van der Hoff
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
matrix-synapse (Debian)
Fix Released
Unknown
matrix-synapse (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

The versions of matrix-synapse in 18.04 and 18.10 are sufficiently old that they will be unable to communicate with any other Matrix servers. They also contain a number of known security problems, including CVE-2019-5885 [1].

It would be preferable to remove the unmaintained packages from at least bionic and cosmic, rather than provide outdated packages containing significant security problems.

Better-maintained packages are available for Ubuntu users in the matrix.org repositories [2].

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5885

Revision history for this message
Richard van der Hoff (richvdh) wrote :

[2]: https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in matrix-synapse (Ubuntu):
status: New → Confirmed
Revision history for this message
Richard van der Hoff (richvdh) wrote :

To add to this: 20.04LTS now contains a Synapse release with known security problems, including CVE-2020-26891, CVE-2020-26890 and CVE-2020-26257.

Revision history for this message
David Robertson (dmrobertsonelement) wrote :

Since Richard's last comment there have been a number of additional security advisories [1].

Those not listed under "CVE References" above are:

- CVE-2021-21273
- CVE-2021-21274
- CVE-2021-21332
- CVE-2021-21333
- CVE-2021-21392
- CVE-2021-21393
- CVE-2021-21394
- CVE-2021-29471
- CVE-2021-39164
- CVE-2022-31052
- CVE-2022-31152

And also
- https://github.com/matrix-org/synapse/security/advisories/GHSA-7h5v-85w9-pq6c
- https://github.com/matrix-org/synapse/security/advisories/GHSA-4822-jvwx-w47h

[1]: https://github.com/matrix-org/synapse/security/advisories

David Robertson (dmrobertsonelement)
tags: added: community-security
Revision history for this message
Jeremy Bícha (jbicha) wrote :

I'm subscribing the Ubuntu Archive Team to suggest that matrix-synapse be removed and blocked from autosync. The package is automatically synced from Debian Unstable, but Debian does not include matrix-synapse in Debian Stable releases.

Bug Watch Updater (bug-watch-updater)
Changed in matrix-synapse (Debian):
status: Unknown → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

> but Debian does not include matrix-synapse in Debian Stable releases.

[citation needed]

matrix-synapse /was not/ included in the most recent Debian release. But there are no open release-critical bugs against it and it is in Debian testing, so there is nothing to indicate that /as a policy/ it is not being included in Debian releases.

And the bug originally reported here was against the version of the package in bionic, a year and a half after bionic released. That security vulnerabilities were discovered in a package over the life cycle of a stable release is also not a reason for us to remove it.

I would certainly accept guidance from the Security Team that this package should be removed so that it does not have to be supported under ESM.

But https://ubuntu.com/security/cves?q=&package=matrix-synapse&priority=&version=&status= also shows none of these CVEs are scored above 'medium' priority.

Changed in matrix-synapse (Ubuntu):
status: Confirmed → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.