matrix
/
matrix.org
mirror of https://github.com/matrix-org/matrix.org.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
matrix.org/static/blog/wp-content/uploads/2016/11/synapse-debian-security-ann...

51 lines
2.1 KiB
Plaintext
Raw Permalink Blame History

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Synapse Debian Package Security Announcement - and Synapse 0.18.3
=================================================================
We were advised of a bug with the LDAP integration an hour ago that allowed
unauthenticated login in certain circumstances when using an old version of the
ldap3 python module (v0.9.x).
Currently, this is only known to affect the debian packages of synapse. A fix
has been pushed, v0.18.2-2, and it is strongly advised for you to update as
soon as possible.
Synapse installed using pip should not be affected, as pip will have bundled a
newer version of the ldap3 module.
UPDATE: Synapse v0.18.3 released
This issue only affects OS (not virtualenv) installations using v0.9.x of the
ldap3 python package (e.g. Debian Stable (Jessie)). Synapse itself specifies a
dependency on >v1.0 of ldap3, but as the dependency is optional there is a risk
that a stale operating system dependency will be pulled in instead. To be
safe, 0.18.3 of Synapse has just been released to fix the underlying problem
for anyone using the older ldap3 package, regardless of their OS.
https://github.com/matrix-org/synapse/releases/tag/v0.18.3 has the details.
Many thanks to Adrián Pérez for reporting the problem, and to hexa- for
assistance in quickly solving it!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJYIeiGAAoJEDraBu3HU9EeNk4QALfU7YYs18zJTMzFd/hEYAOB
WJs6U+g5x7cV3leKAf1Sszc6x0LA4z+bGoNrQnmItzCNHcZRSpstMJHssa5HWzcg
uT2oWdAeIAnG9D2RC33nR0eQOTZ/2NppjxkPjLwWKk84D2wRV45+mbkuBD4wtQvy
FlneeivBKcIUxswBOTheIiLX+lZ51g923ZOBQSr2iSxIl22MKWlKuCGsxJmcDBIP
sy6j+jfuAWSTz97qzhoqrbqznZD1xcVj25Pfc0vQ1gBbM4A2Fr+5ydxOL65vvwXG
DTpf0aTMPPkTGxlQ2fPN5hyvoTuACPfDUNIVVWitjhQTXbAtWvixoMhLL3fN24tE
5UO2fOsdaydCzwFPBdLtNpKt9geS+nvfzeENWrOfCHQL6wy41GiMRKPurxnnM/Le
t/Fot1qwOv0V2PsBXwyTN27YFJrpPVDedAWYvj8cdqHA6vL1o7PAL1ssLcMGay7C
Qoa4pybq6cRCESFFwdIQIhVMhLMEz8H6+Le5Uq9edMueX/P8zKVuDWpNx0fRRJCo
H2B1eovJo3sPnr2JUd6bmOr+6n2k1P4OvHyewWJOnKk0kqjbIFcdq5qUCHUYKTMF
AaMc30gWaw8Kik4dhAvpc89u6TZM+S8Z6MLUB5eVbk1LW35rQHikHC0ry2JswLlA
mCVz+4kxI4XH3EK5drtt
=Y3Fc
-----END PGP SIGNATURE-----
Reference in New Issue View Git Blame Copy Permalink