Skip to content

automation: Update matrix-synapse Docker tag to v1.47.1

Housekeeper (bot) requested to merge renovate/matrix-synapse-1.x into master

This MR contains the following updates:

Package Update Change
matrix-synapse patch 1.47.0 -> 1.47.1

Release Notes

matrix-org/synapse

v1.47.1

Compare Source

===========================

This release fixes a security issue in the media store, affecting all prior releases of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild.

Server administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below.

Security advisory

The following issue is fixed in 1.47.1.

  • GHSA-3hfw-x7gx-437c / CVE-2021-41281: Path traversal when downloading remote media.

    Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory, potentially outside the media store directory.

    The last two directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact.

    Homeservers with the media repository disabled are unaffected. Homeservers configured with a federation whitelist are also unaffected.

    Fixed by 91f2bd090.

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, click this checkbox.

This MR has been generated by Renovate Bot. The local configuration can be found in the local Renovate Bot repository.

Edited by Housekeeper (bot)

Merge request reports