| 26 Mar 2025 |
 emily | (which can be done for a sufficiently severe vuln but not clear to me if this DoS would qualify) | 22:54:30 |
| emily | people can get a patched Synapse from master though | 22:54:49 |
 Emma [it/its] | fwiw, the vuln breaks joining affected rooms | 22:55:13 |
| Emma [it/its] | being in any affected room completely breaks federation for all rooms (the old nixos space is affected btw) | 22:55:57 |
| Emma [it/its] | matrix:roomid/brXHJeAtqliwNGqHQx:lossy.network | 22:56:15 |
| Emma [it/its] | * matrix:roomid/brXHJeAtqliwNGqHQx:lossy.network for those still in it | 22:56:40 |
 Dandellion | how are we chatting here then? | 22:56:46 |
| Emma [it/its] | * to the best of my understanding | 22:57:04 |
| Emma [it/its] | the patch fixes federation and handling broken rooms fwiw | 22:57:49 |
| Emma [it/its] | in particular, if either your server or any server youre joining via arent patched, the join will fail with a number out of range error | 22:58:43 |
 Sumner Evans | from what I understand, it's only outbound federation traffic that is affected. Confirming with the synapse devs | 22:59:32 |
| Sumner Evans | Redacted or Malformed Event | 23:00:24 |
| Sumner Evans | Redacted or Malformed Event | 23:03:46 |
| Sumner Evans | from the maintainers:
Inbound traffic can cause outbound traffic to fail across all rooms
Personally, I think this is serious enough to bump the channels. | 23:04:41 |
| Sumner Evans | Redacted or Malformed Event | 23:04:48 |
 f0x | In reply to @sumner:nevarro.space
from what I understand, it's only outbound federation traffic that is affected. Confirming with the synapse devs. I think that if it's only possible for users on your own homeserver to cause this problem, then we don't have to bump the channel https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6 states "a malicious server" so pretty sure this is exploitable over federation | 23:05:21 |
| Sumner Evans | Redacted or Malformed Event | 23:05:45 |
| emily | I'd suggest asking for a bump in #infra:nixos.org. I have the technical permissions but I don't feel confident in using them unilaterally here | 23:08:07 |
| emily | e.g., it would delay the security fixes currently building on staging-next-24.11 | 23:08:18 |
| Emma [it/its] | no its caused by remote users in particular | 23:08:44 |
| Emma [it/its] | @ndzA8wy:mittens.jumpingcrab.com
@ZQqejO:mittens.jumpingcrab.com
@2cwBli9fJY:mittens.jumpingcrab.com
@hIuTKmCQjQ:mittens.jumpingcrab.com
@byJbUSec:optane.twilightparadox.com
@0dIr0JN:optane.twilightparadox.com
@q2PXjFrjI:optane.twilightparadox.com
@LfnjbI:optane.twilightparadox.com
@B8OWSs:optane.twilightparadox.com
@04zkgFxWPw:optane.twilightparadox.com
@eHvmaxWj:optane.twilightparadox.com
@yb4jUx:optane.twilightparadox.com
@VEloRu:vengeance.ignorelist.com
@BVbuVa:vengeance.ignorelist.com
@zYSwMcf25:vengeance.ignorelist.com
@Du6J9zkG:vengeance.ignorelist.com
@UkbIyOUyNL:vengeance.ignorelist.com
| 23:10:23 |
| Emma [it/its] | here's the 3 homeservers that caused it | 23:10:33 |
| 27 Mar 2025 |
 hexa | next time raise this earlier | 00:52:15 |
| hexa | triggered nixos-24.11-small eval and bumped it to front | 00:52:29 |
| hexa | ok, everything built | 01:39:24 |
| hexa | channel scripts are working through the eval | 01:39:36 |
| hexa | nixos-24.11-small advanced | 01:45:28 |
| hexa | unstable-eval bumped as well | 01:47:26 |
| hexa | updating the nixos.org homeserver next | 01:47:35 |
| hexa | * updating the nixos.org homeserver next 🤞 | 01:47:42 |
