New upstream version 1.95.1

author: Andrej Shadura <andrewsh@debian.org> 2023-11-04 21:12:28 +0100
committer: Andrej Shadura <andrewsh@debian.org> 2023-11-04 21:12:28 +0100
commit: 81284f02e2892ff52bda1b30f1a772ab7e1a5bad (patch)
tree: 9bb31f092877b92bec86409b2c4fbb420dbcdd8a
parent: e612f36b0bea943863a803c4b6e83f72d8d6c0ee (diff)
6 files changed, 37 insertions, 2 deletions
diff --git a/CHANGES.md b/CHANGES.md
index caecc737..5aecdfb2 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,17 @@
+# Synapse 1.95.1 (2023-10-31)
+
+## Security advisory
+
+The following issue is fixed in 1.95.1.
+
+- [GHSA-mp92-3jfm-3575](https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575) / [CVE-2023-43796](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43796) — Moderate Severity
+
+  Cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver.
+
+See the advisory for more details. If you have any questions, email security@matrix.org.
+
+
+
 # Synapse 1.95.0 (2023-10-24)
 
 ### Internal Changes
diff --git a/debian/changelog b/debian/changelog
index 9bd5490e..2f9a7d37 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+matrix-synapse-py3 (1.95.1) stable; urgency=medium
+
+  * New Synapse release 1.95.1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 31 Oct 2023 14:00:00 +0000
+
 matrix-synapse-py3 (1.95.0) stable; urgency=medium
 
   * New Synapse release 1.95.0.
diff --git a/pyproject.toml b/pyproject.toml
index f3764b1a..b9cabe57 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -96,7 +96,7 @@ module-name = "synapse.synapse_rust"
 
 [tool.poetry]
 name = "matrix-synapse"
-version = "1.95.0"
+version = "1.95.1"
 description = "Homeserver for the Matrix decentralised comms protocol"
 authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
 license = "Apache-2.0"
diff --git a/synapse/federation/federation_server.py b/synapse/federation/federation_server.py
index 6ac8d160..356ab049 100644
--- a/synapse/federation/federation_server.py
+++ b/synapse/federation/federation_server.py
@@ -84,7 +84,7 @@ from synapse.replication.http.federation import (
 from synapse.storage.databases.main.lock import Lock
 from synapse.storage.databases.main.roommember import extract_heroes_from_room_summary
 from synapse.storage.roommember import MemberSummary
-from synapse.types import JsonDict, StateMap, get_domain_from_id
+from synapse.types import JsonDict, StateMap, get_domain_from_id, UserID
 from synapse.util import unwrapFirstError
 from synapse.util.async_helpers import Linearizer, concurrently_execute, gather_results
 from synapse.util.caches.response_cache import ResponseCache
@@ -999,6 +999,12 @@ class FederationServer(FederationBase):
     async def on_claim_client_keys(
         self, query: List[Tuple[str, str, str, int]], always_include_fallback_keys: bool
     ) -> Dict[str, Any]:
+        if any(
+            not self.hs.is_mine(UserID.from_string(user_id))
+            for user_id, _, _, _ in query
+        ):
+            raise SynapseError(400, "User is not hosted on this homeserver")
+
         log_kv({"message": "Claiming one time keys.", "user, device pairs": query})
         results = await self._e2e_keys_handler.claim_local_one_time_keys(
             query, always_include_fallback_keys=always_include_fallback_keys
diff --git a/synapse/handlers/device.py b/synapse/handlers/device.py
index 544bc7c1..b0f60116 100644
--- a/synapse/handlers/device.py
+++ b/synapse/handlers/device.py
@@ -328,6 +328,9 @@ class DeviceWorkerHandler:
         return result
 
     async def on_federation_query_user_devices(self, user_id: str) -> JsonDict:
+        if not self.hs.is_mine(UserID.from_string(user_id)):
+            raise SynapseError(400, "User is not hosted on this homeserver")
+
         stream_id, devices = await self.store.get_e2e_device_keys_for_federation_query(
             user_id
         )
diff --git a/synapse/handlers/e2e_keys.py b/synapse/handlers/e2e_keys.py
index 8c643203..5a0c1f47 100644
--- a/synapse/handlers/e2e_keys.py
+++ b/synapse/handlers/e2e_keys.py
@@ -542,6 +542,12 @@ class E2eKeysHandler:
         device_keys_query: Dict[str, Optional[List[str]]] = query_body.get(
             "device_keys", {}
         )
+        if any(
+            not self.is_mine(UserID.from_string(user_id))
+            for user_id in device_keys_query
+        ):
+            raise SynapseError(400, "User is not hosted on this homeserver")
+
         res = await self.query_local_devices(
             device_keys_query,
             include_displaynames=(
author	Andrej Shadura <andrewsh@debian.org>	2023-11-04 21:12:28 +0100
committer	Andrej Shadura <andrewsh@debian.org>	2023-11-04 21:12:28 +0100
commit	81284f02e2892ff52bda1b30f1a772ab7e1a5bad (patch)
tree	9bb31f092877b92bec86409b2c4fbb420dbcdd8a
parent	e612f36b0bea943863a803c4b6e83f72d8d6c0ee (diff)