Candidate: CVE-2019-5885
PublicDate: 2019-03-21 16:01:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5885
 https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1/
Description:
 Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication
 parameter is not set, uses a predictable value to derive a secret key and
 other secrets which could allow remote attackers to impersonate users.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_matrix-synapse:
upstream_matrix-synapse: released (0.34.1.1-1)
precise/esm_matrix-synapse: DNE
trusty_matrix-synapse: DNE
trusty/esm_matrix-synapse: DNE
xenial_matrix-synapse: DNE
bionic_matrix-synapse: needed
cosmic_matrix-synapse: ignored (reached end-of-life)
disco_matrix-synapse: not-affected (0.34.1.1-1)
eoan_matrix-synapse: not-affected (0.34.1.1-1)
focal_matrix-synapse: not-affected (0.34.1.1-1)
groovy_matrix-synapse: not-affected (0.34.1.1-1)
hirsute_matrix-synapse: not-affected (0.34.1.1-1)
impish_matrix-synapse: not-affected (0.34.1.1-1)
jammy_matrix-synapse: not-affected (0.34.1.1-1)
devel_matrix-synapse: not-affected (0.34.1.1-1)