| 26 Mar 2025 |
 Sumner Evans | https://github.com/element-hq/synapse/releases/tag/v1.127.1 was just released which contains a critical security fix for CVE-2025-30355. I updated https://github.com/NixOS/nixpkgs/pull/393086 to bump to the patched version. Can I get some eyes on it and a committer to merge? | 21:44:12 |
 ma27 | deploying it rn. | 21:51:58 |
| ma27 | Given the apparent severity I'm willing to make an exception and merge right away. | 21:52:16 |
 emily | perhaps a good idea to get someone to kick the channel? | 21:53:04 |
| Sumner Evans | I think that's the right call. I've been running 1.127.0 for a few days and it's been fine, and the diff to 1.127.1 is not too large. | 21:53:51 |
| Sumner Evans | from what I understand, this vulnerability is why matrix.org has been having issues today | 21:54:08 |
| emily | what do we do for backports? | 21:54:19 |
|  max invited  Willi Butz. | 21:54:25 |
| ma27 | we backport all synapse updates anyways | 21:54:28 |
| Willi Butz joined the room. | 21:54:28 |
| ma27 | so same procedure as every bump imho | 21:54:42 |
| emily | the diff looks like DoS at a glance, maybe not channel-kicking levels of severe (though of course that could be misleading) | 21:55:26 |
|  @willi:matrix.butz.cloud left the room. | 21:56:08 |
| Willi Butz | ty :) | 21:56:19 |
| emily | oh, https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389 explicitly says DoS | 21:56:24 |
|  Emma [it/its] joined the room. | 21:58:28 |
| Sumner Evans | anyone know NickCao's mxid? looks like he went ahead and merged. We should get him into this room if he's on Matrix | 21:58:32 |
| Emma [it/its] | 👋 | 21:59:13 |
| Sumner Evans | Redacted or Malformed Event | 21:59:27 |
| ma27 | there's none in the maintainer entry. will leave a message in the PR. | 21:59:27 |
| emily | haven't seen him on Matrix | 21:59:30 |
| emily | ironically :) | 21:59:41 |
| ma27 | would be kinda funny if the person who regularly merges synapse PRs doesn't use it :D | 21:59:53 |
| Sumner Evans | I assume that he must have one because he said that he tested on his homeserver | 21:59:55 |
| emily | right, I just mean in the NixOS space | 22:00:04 |
| emily | @nickcao:nichi.co is in #dev:nixos.org | 22:00:21 |
| emily | so presumably that | 22:00:27 |
| Sumner Evans | that matches the website in his GitHub profile, so that is probably it | 22:01:05 |
| ma27 invited  Nick Cao. | 22:01:29 |
| Nick Cao joined the room. | 22:02:21 |
