Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Improve signature checking on some federation APIs #6262

Merged
merged 2 commits into from
Oct 28, 2019

Conversation

richvdh
Copy link
Member

@richvdh richvdh commented Oct 28, 2019

Make sure that we check that events sent over /send_join, /send_leave, and
/invite, are correctly signed and come from the expected servers.

Make sure that we check that events sent over /send_join, /send_leave, and
/invite, are correctly signed and come from the expected servers.
@richvdh richvdh requested a review from a team October 28, 2019 11:54
@richvdh richvdh merged commit 172f264 into release-v1.5.0 Oct 28, 2019
@richvdh richvdh deleted the rav/send_join_sigs branch October 28, 2019 12:43
richvdh added a commit that referenced this pull request Oct 28, 2019
Synapse 1.5.0rc2 (2019-10-28)
=============================

Bugfixes
--------

- Update list of boolean columns in `synapse_port_db`. ([\#6247](#6247))
- Fix /keys/query API on workers. ([\#6256](#6256))
- Improve signature checking on some federation APIs. ([\#6262](#6262))

Internal Changes
----------------

- Move schema delta files to the correct data store. ([\#6248](#6248))
- Small performance improvement by removing repeated config lookups in room stats calculation. ([\#6255](#6255))
@kyrias
Copy link
Contributor

kyrias commented Nov 8, 2019

This apparently got assigned CVE-2019-18835.

svenstaro pushed a commit to archlinux/svntogit-community that referenced this pull request Jul 22, 2020
This release fixes a security issue relating to signature checking of events.
matrix-org/synapse#6262

git-svn-id: file:///srv/repos/svn-community/svn@522534 9fca08f4-af9d-4005-b8df-a31f2cc04f65
babolivier pushed a commit that referenced this pull request Sep 1, 2021
* commit '172f264ed':
  Improve signature checking on some federation APIs (#6262)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants