Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201901-12 ========================================= Severity: High Date : 2019-01-24 CVE-ID : CVE-2019-5885 Package : matrix-synapse Type : private key recovery Remote : No Link : https://security.archlinux.org/AVG-846 Summary ====== The package matrix-synapse before version 0.34.1.1-1 is vulnerable to private key recovery. Resolution ========= Upgrade to 0.34.1.1-1. # pacman -Syu "matrix-synapse>=0.34.1.1-1" The problem has been fixed upstream in version 0.34.1.1. Workaround ========= None. Description ========== matrix-synapse before 0.34.1 is vulnerable to private key recovery as synapse will attempt to derive a secret key from other secrets specified in the configuration file for "macaroon_secret_key". However, in all versions of Synapse up to and including 0.34.0, this process was faulty and a predictable value was used instead. Impact ===== If no private key is specified a predictable key is used allowing private key recover. References ========= https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ https://security.archlinux.org/CVE-2019-5885