--- vuln.xml.orig 2020-09-21 12:50:23.946846000 +0200 +++ vuln.xml 2020-09-21 13:08:06.720385000 +0200 @@ -58,6 +58,39 @@ * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + py-matrix-synapse -- malformed events may prevent users from joining federated rooms + + + py36-matrix-synapse + py37-matrix-synapse + py38-matrix-synapse + 1.19.2 + + + + +

Problem Description:

+

Affected Synapse versions assume that all events have an "origin" field set. If an event + without the "origin" field is sent into a federated room, servers not already joined to + the room will be unable to do so due to failing to fetch the malformed event.

+

Impact:

+

An attacker could cause a denial of service by deliberately sending a malformed event + into a room, thus preventing new servers (and thus their users) from joining the + room.

+ +
+ + https://github.com/matrix-org/synapse/issues/8319 + https://github.com/matrix-org/synapse/pull/8324 + https://github.com/matrix-org/synapse/releases/tag/v1.19.2 + + + 2020-09-16 + 2020-09-21 + +
+ Python -- multiple vulnerabilities