| tag name | v1.61.1 (a73970315aa73944904399e78ac8957a0f2cbec6) |
| tag date | 2022-06-28 14:46:30 +0100 |
| tagged by | Andrew Morgan <andrewm@element.io> |
| tagged object | commit 09d89ddc1f... |
| download | synapse-1.61.1.tar.xz |
|---|
Synapse 1.61.1 (2022-06-28)
=========================== This patch release fixes a security issue regarding URL previews, affecting all prior versions of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild. Server administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below. The following issue is fixed in 1.61.1. * [GHSA-22p3-qrh9-cx32](https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32) / [CVE-2022-31052](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31052) Synapse instances with the [`url_preview_enabled`](https://matrix-org.github.io/synapse/v1.61/usage/configuration/config_documentation.html#media-store) homeserver config option set to `true` are affected. URL previews of some web pages can lead to unbounded recursion, causing the request to either fail, or in some cases crash the running Synapse process. Requesting URL previews requires authentication. Nevertheless, it is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for. Homeservers with the `url_preview_enabled` configuration option set to `false` (the default) are unaffected. Instances with the `enable_media_repo` configuration option set to `false` are also unaffected, as this also disables URL preview functionality. Fixed by [fa1308061802ac7b7d20e954ba7372c5ac292333](https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333). -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEgQG31Z317NrSMt0QiISIDS7+X/QFAmK7BjYACgkQiISIDS7+ X/QVrA/8Cs9GNH/JhfcLfq6S9IhFBUHlS2ktFt3x9YitcHlwUZYhMaEVzcrR+FGi tswrKmQrL8bqf22z1GnAM18LpEWFXtz0eZXpGKLb9fufxeFgsvnsjXnvw1BhIHBD BUBia+4Gjl0hkPOWfXQbtQLDfT7HfW1AhXnaFvZ42hfdjSq1lD/SghZeM5q1GfRw vym+i3HAACNoNwEHjbLjpvWlmGPm8Ase9YtrN2DIB9dwJBeZ4K424D99z4isVkuu u5J4BMGr/B/kquCGLLESf0G8lo2HLryjdnUr/HatIaiwTCVYeFxe7Phin2yxhwmj IFNjG6epaDiATn1yWbAj2rWxEtix5SvOVDg3sXfi3HBacexx6FD0UZ0UHwgfGIXZ zc7MuqGYBmLgklZMd9UiugO2Hj6idn0potIV57jscy78tUuzhmQ9vZdCpVQxv7Zh GFCMLslLl4X/DW7p88X5tdLbZFbqy3dV+24p2ZoicVZVj06sL6VAUiO9AmIyOcb6 5nc17G8FSu92wMwtgDFSSxW7x4AWYKwV03RWfO5KtXnkhta3HLF16FI7VGFcGP18 wmc0jgr12Ix81w2j2POWzbF7f+g7e/YhVSL3+VeC2LeukgaGufLHnHkam1GW56Cy G60r74wD+vMMmJLevZ+dU52hYGpDcbdt+dSQfMpJUQTCBbqu9Kc= =5J9/ -----END PGP SIGNATURE-----