26 Mar 2025 |
Nick Cao | Ah I was expecting worse, that's some relief | 22:07:32 |
Emma [it/its] | i cant have my synapse going down when running multiple moderation bots for various communities says me running custom patches | 22:08:11 |
ma27 | merged the backport (cherry-picked the commit on 24.11 before to deploy my hs). I guess I can go to bed now, then :) | 22:11:06 |
emily | embargoed vulns don't work so well when you write a helpful commit message 😆 | 22:12:14 |
Ralith | still not on the channel? | 22:52:33 |
Sumner Evans | don't we have to wait for it to get built and such? | 22:53:33 |
emily | yes, it'll probably be a couple days (unless someone bumps the channels now) | 22:54:06 |
emily | (which can be done for a sufficiently severe vuln but not clear to me if this DoS would qualify) | 22:54:30 |
emily | people can get a patched Synapse from master though | 22:54:49 |
Emma [it/its] | fwiw, the vuln breaks joining affected rooms | 22:55:13 |
Emma [it/its] | being in any affected room completely breaks federation for all rooms (the old nixos space is affected btw) | 22:55:57 |
Emma [it/its] | matrix:roomid/brXHJeAtqliwNGqHQx:lossy.network | 22:56:15 |
Emma [it/its] | * matrix:roomid/brXHJeAtqliwNGqHQx:lossy.network for those still in it | 22:56:40 |
Dandellion | how are we chatting here then? | 22:56:46 |
Emma [it/its] | * to the best of my understanding | 22:57:04 |
Emma [it/its] | the patch fixes federation and handling broken rooms fwiw | 22:57:49 |
Emma [it/its] | in particular, if either your server or any server youre joining via arent patched, the join will fail with a number out of range error | 22:58:43 |
Sumner Evans | from what I understand, it's only outbound federation traffic that is affected. Confirming with the synapse devs | 22:59:32 |
Sumner Evans | Redacted or Malformed Event | 23:00:24 |
Sumner Evans | Redacted or Malformed Event | 23:03:46 |
Sumner Evans | from the maintainers:
Inbound traffic can cause outbound traffic to fail across all rooms
Personally, I think this is serious enough to bump the channels. | 23:04:41 |
Sumner Evans | Redacted or Malformed Event | 23:04:48 |
f0x | In reply to @sumner:nevarro.space from what I understand, it's only outbound federation traffic that is affected. Confirming with the synapse devs. I think that if it's only possible for users on your own homeserver to cause this problem, then we don't have to bump the channel https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6 states "a malicious server" so pretty sure this is exploitable over federation | 23:05:21 |
Sumner Evans | Redacted or Malformed Event | 23:05:45 |
emily | I'd suggest asking for a bump in #infra:nixos.org. I have the technical permissions but I don't feel confident in using them unilaterally here | 23:08:07 |
emily | e.g., it would delay the security fixes currently building on staging-next-24.11 | 23:08:18 |
Emma [it/its] | no its caused by remote users in particular | 23:08:44 |
Emma [it/its] | @ndzA8wy:mittens.jumpingcrab.com
@ZQqejO:mittens.jumpingcrab.com
@2cwBli9fJY:mittens.jumpingcrab.com
@hIuTKmCQjQ:mittens.jumpingcrab.com
@byJbUSec:optane.twilightparadox.com
@0dIr0JN:optane.twilightparadox.com
@q2PXjFrjI:optane.twilightparadox.com
@LfnjbI:optane.twilightparadox.com
@B8OWSs:optane.twilightparadox.com
@04zkgFxWPw:optane.twilightparadox.com
@eHvmaxWj:optane.twilightparadox.com
@yb4jUx:optane.twilightparadox.com
@VEloRu:vengeance.ignorelist.com
@BVbuVa:vengeance.ignorelist.com
@zYSwMcf25:vengeance.ignorelist.com
@Du6J9zkG:vengeance.ignorelist.com
@UkbIyOUyNL:vengeance.ignorelist.com
| 23:10:23 |
Emma [it/its] | here's the 3 homeservers that caused it | 23:10:33 |
27 Mar 2025 |
hexa | next time raise this earlier | 00:52:15 |