11 Apr 2021 |
Yannick |
"All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k."
| 11:41:13 |
Yannick | ref. https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html | 11:42:11 |
Yannick | OpenSSL in debian stable is 1.1.1d-0+deb10u6 which has been patched against CVE-2021-3449 AFAICT cf. https://sources.debian.org/patches/openssl/1.1.1d-0+deb10u6/ (the CVE is mentioned in 3 pathes)
At this point, we need to know if Python Cryptography library in Debian is using libssl1.1 dynamically or if it use a static version of OpenSSL.
List of files for python3-cryptography in buster: https://packages.debian.org/buster/amd64/python3-cryptography/filelist
On my system (debian stable): | 11:43:21 |
Yannick | $ ldd /usr/lib/python3/dist-packages/cryptography/hazmat/bindings/_openssl.abi3.so
../..
libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f74d262e000)
libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f74d2345000)
../..
| 11:44:10 |
Yannick | So, is synapse safe then? It seems safe to me, but I do not have enough expertise to be sure. Can someone knowledgeable confirm? | 11:45:05 |
Q | If you restarted synapse, everything is fixed. | 12:00:23 |
Yannick | Thank you. I did it already. π | 12:01:36 |
Q | Debian stable was not effect by that CVE because it was introduced in the later version. | 12:02:46 |
Q | * Debian stable was not effect by CVE-2021-3450 because it was introduced in the later version. | 12:03:52 |
Q | But CVE-2021-3449 is something that likely did affect synapse if you do not use a reverse proxy. | 12:05:12 |
Yannick | It seems to me it was affected by CVE-2021-3449 and has been patched against in libssl1.1 | 12:05:03 |
Yannick | I agree 3450 is out of scope here. | 12:06:18 |
12 Apr 2021 |
andrewsh | In reply to @yannick:bistre.fr Hi folks! when synapse 1.30.1 with the security fix for OpenSSL will be available? I'm usinf fastrack on debian buster and latest is 1.30.0. it never will be | 07:58:12 |
andrewsh | In reply to @yannick:bistre.fr Hi folks! when synapse 1.30.1 with the security fix for OpenSSL will be available? I'm usinf fastrack on debian buster and latest is 1.30.0. * it never will be π€£ | 07:58:56 |
andrewsh | * it never will be π | 07:59:01 |
13 Apr 2021 |
Q | fasttrack seems to be really fast. | 17:16:09 |
RSS Bot [@hubert:uhoreg.ca] | Debian package news for matrix-synapse: Accepted matrix-synapse 1.31.0-2 (source) into unstable | 18:23:09 |
14 Apr 2021 |
RSS Bot [@hubert:uhoreg.ca] | Debian package news for matrix-synapse: A new upstream version is available: <a href="https://github.com/matrix-org/synapse/archive/refs/tags/v1.32.0rc1.tar.gz">1.32.0~rc1</a> | 03:03:13 |
RSS Bot [@hubert:uhoreg.ca] | Debian package news for nheko: Marked for autoremoval on 06 May: <a href="https://bugs.debian.org/986519">#986519</a> | 14:37:09 |
RSS Bot [@hubert:uhoreg.ca] | Debian package news for matrix-synapse: Depends on packages which need a new maintainer | 18:08:18 |
RSS Bot [@hubert:uhoreg.ca] | Debian package news for nheko: <a href="https://bugs.debian.org/cgi-bin/pkgreport.cgi?include=tags%3Apatch&exclude=tags%3Apending&pend-exc=done&repeatmerged=no&src=nheko">1 bug</a> tagged patch in the <abbr title="Bug Tracking System">BTS</abbr> | 21:07:17 |
17 Apr 2021 |
| Nik | Klampfradler πΈπ΄π» changed their display name from Nik to Klampfradler πΈπ΄π». | 09:03:49 |
19 Apr 2021 |
| WobbelTheBear joined the room. | 07:44:47 |
RSS Bot [@hubert:uhoreg.ca] | Debian package news for nheko: Accepted nheko 0.8.0+really0.7.2-4 (source) into unstable | 21:21:27 |
craigevil | nheko is at Candidate: 0.8.0-1 in unstable | 21:29:24 |
emorrp1 | craigevil: it takes a couple of minutes/hours to update that page | 21:30:42 |
uhoreg | Had to downgrade nheko in unstable to fix the FTBFS | 21:36:55 |
27 Apr 2021 |
RSS Bot [@hubert:uhoreg.ca] | Debian package news for nheko: nheko 0.8.0+really0.7.2-4 MIGRATED to testing | 04:40:20 |
30 Apr 2021 |
| craigevil left the room. | 06:36:35 |
| ulf-sp joined the room. | 19:06:17 |