automation: Update matrix-synapse to version 1.61.1
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| matrix-synapse | patch |
1.61.0 -> 1.61.1
|
Release Notes
matrix-org/synapse
v1.61.1
===========================
This patch release fixes a security issue regarding URL previews, affecting all prior versions of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild.
Server administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below.
Security advisory
The following issue is fixed in 1.61.1.
-
GHSA-22p3-qrh9-cx32 / CVE-2022-31052
Synapse instances with the
url_preview_enabledhomeserver config option set totrueare affected. URL previews of some web pages can lead to unbounded recursion, causing the request to either fail, or in some cases crash the running Synapse process.Requesting URL previews requires authentication. Nevertheless, it is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for.
Homeservers with the
url_preview_enabledconfiguration option set tofalse(the default) are unaffected. Instances with theenable_media_repoconfiguration option set tofalseare also unaffected, as this also disables URL preview functionality.Fixed by fa1308061802ac7b7d20e954ba7372c5ac292333.
Configuration
-
If you want to rebase/retry this MR, click this checkbox.
This MR has been generated by Renovate Bot. The local configuration can be found in the local Renovate Bot repository.