Candidate: CVE-2018-10657
PublicDate: 2018-05-02 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10657
 https://github.com/matrix-org/synapse/commit/33f469ba19586bbafa0cf2c7d7c35463bdab87eb
 https://matrix.org/blog/2018/05/01/security-update-synapse-0-28-1/
 https://docs.google.com/document/d/1I3fi2S-XnpO45qrpCsowZv8P8dHcNZ4fsBsbOW7KABI/edit#heading=h.fj95ykuss7s1
Description:
 Matrix Synapse before 0.28.1 is prone to a denial of service flaw where
 malicious events injected with depth = 2^63 - 1 render rooms unusable,
 related to federation/federation_base.py and handlers/message.py, as
 exploited in the wild in April 2018.
Ubuntu-Description:
Notes:
 leosilva> code is quite different in bionic and artful versus patch.
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_matrix-synapse:
 upstream: https://github.com/matrix-org/synapse/commit/33f469ba19586bbafa0cf2c7d7c35463bdab87eb
upstream_matrix-synapse: released (0.28.1+dfsg-1)
precise/esm_matrix-synapse: DNE
trusty_matrix-synapse: DNE
trusty/esm_matrix-synapse: DNE
xenial_matrix-synapse: DNE
artful_matrix-synapse: ignored (reached end-of-life)
bionic_matrix-synapse: needs-triage
cosmic_matrix-synapse: released (0.28.1+dfsg-1)
disco_matrix-synapse: released (0.28.1+dfsg-1)
eoan_matrix-synapse: released (0.28.1+dfsg-1)
focal_matrix-synapse: released (0.28.1+dfsg-1)
groovy_matrix-synapse: released (0.28.1+dfsg-1)
hirsute_matrix-synapse: released (0.28.1+dfsg-1)
impish_matrix-synapse: released (0.28.1+dfsg-1)
jammy_matrix-synapse: released (0.28.1+dfsg-1)
devel_matrix-synapse: released (0.28.1+dfsg-1)