[ASA-202011-23] matrix-synapse: denial of service
foxboron at archlinux.org
Sat Dec 5 14:27:39 UTC 2020
Arch Linux Security Advisory ASA-202011-23
Date : 2020-11-26
CVE-ID : CVE-2020-26890
Package : matrix-synapse
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-1296
The package matrix-synapse before version 1.20.1-1 is vulnerable to
denial of service.
Upgrade to 1.20.1-1.
# pacman -Syu "matrix-synapse>=1.20.1-1"
The problem has been fixed upstream in version 1.20.1.
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN,
Infinity, and -Infinity JSON values in fields of m.room.member events,
allowing remote attackers to execute a denial of service attack against
the federation and common Matrix clients. If such a malformed event is
accepted into the room's state, the impact is long-lasting and is not
fixed by an upgrade to a newer version, requiring the event to be
manually redacted instead. Since events are replicated to servers of
other room members, the impact is not constrained to the server of the
A remote attacker might be able to cause a denial of service via a
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security