Debian Matrix-Synapse vulnerabilities

CVE-2018-12423 [HIGH] CVE-2018-12423: matrix-synapse - In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m... In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force. Scope: local forky: resolved (fixed in 0.31.2+dfsg-1) sid: resolved (fixed in 0.31.2+dfsg-1)

CVE-2018-16515 [HIGH] CVE-2018-16515: matrix-synapse - Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possi... Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation. Scope: local forky: resolved (fixed in 0.33.3.1-1) sid: resolved (fixed in 0.33.3.1-1)

CVE-2018-10657 [HIGH] CVE-2018-10657: matrix-synapse - Matrix Synapse before 0.28.1 is prone to a denial of service flaw where maliciou... Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018. Scope: local forky: resolved (fixed in 0.28.1+dfsg-1) sid: resolved (fixed in 0.28.1+dfsg-1)

CVE-2018-12291 [HIGH] CVE-2018-12291: matrix-synapse - The on_get_missing_events function in handlers/federation.py in Matrix Synapse b... The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly. Scope: local forky: resolved (fixed in 0.31.1+dfsg-1) sid: resolved (fixed in 0.31.1+dfsg-1)