[Bug 1848709] Re: implementation is unusably old and contains significant security problems

Richard van der Hoff 1848709 at bugs.launchpad.net
Tue May 21 11:05:18 UTC 2024 

> > but Debian does not include matrix-synapse in Debian Stable releases.
>
> [citation needed]

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036954,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036806#30

You're right that it's not *policy*. But, for now at least, Debian are
not including matrix-synapse in their stable releases.

> And the bug originally reported here was against the version of the
package in bionic, a year and a half after bionic released. That
security vulnerabilities were discovered in a package over the life
cycle of a stable release is also not a reason for us to remove it.

Is it not? Ubuntu claims to support its LTS releases for five years; I'd
argue pretty strongly that the expectation is that security
vulnerabilities, at least, are patched for those five years. If you're
unable to do that (and I appreciate that it's a lot of work), better not
to ship the package in the first place. Ubuntu users are much better
served by the upstream packages.

To be clear, this problem was originally reported against Bionic, but
it's true of every Ubuntu release before and since. CVE-2024-31208 is a
High severity CVE which affects all current Ubuntu releases.
CVE-2023-45129 affects the version of matrix-synapse in Mantic and
Noble. The version in Jammy is, frankly, prehistoric.

> But https://ubuntu.com/security/cves?q=&package=matrix-
synapse&priority=&version=&status= also shows none of these CVEs are
scored above 'medium' priority.

True, but doesn't that rather reflect lack of triage, than any actual
severity?


** Bug watch added: Debian Bug tracker #1036954
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036954

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-45129

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-31208

-- 
You received this bug notification because you are a member of Ubuntu
Package Archive Administrators, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1848709

Title:
  implementation is unusably old and contains significant security
  problems

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/matrix-synapse/+bug/1848709/+subscriptions

More information about the ubuntu-archive mailing list