Synapse Debian Package Security Announcement - and Synapse 0.18.3

2016-11-08 — General — Erik Johnston

We were advised of a bug with the LDAP integration an hour ago that allowed unauthenticated login in certain circumstances when using an old version of the ldap3 python module (v0.9.x).

Currently, this is only known to affect the debian packages of synapse. A fix has been pushed, v0.18.2-2, and it is strongly advised for you to update as soon as possible.

Synapse installed using pip should not be affected, as pip will have bundled a newer version of the ldap3 module.

 

UPDATE: Synapse v0.18.3 released.

This issue only affects OS (not virtualenv) installations using v0.9.x of the ldap3 python package (e.g. Debian Stable (Jessie)).  Synapse itself specifies a dependency on >v1.0 of ldap3, but as the dependency is optional there is a risk that a stale operating system dependency will be pulled in instead.  To be safe, 0.18.3 of Synapse has just been released to fix the underlying problem for anyone using the older ldap3 package, regardless of their OS. https://github.com/matrix-org/synapse/releases/tag/v0.18.3 has the details.

Many thanks to Adrián Pérez for reporting the problem, and to hexa- for assistance in quickly solving it!

Signed announcement: synapse-debian-security-announcement