ASA-201901-12 generated external raw

[ASA-201901-12] matrix-synapse: private key recovery
Arch Linux Security Advisory ASA-201901-12 ========================================== Severity: High Date : 2019-01-24 CVE-ID : CVE-2019-5885 Package : matrix-synapse Type : private key recovery Remote : No Link : Summary ======= The package matrix-synapse before version is vulnerable to private key recovery. Resolution ========== Upgrade to # pacman -Syu "matrix-synapse>=" The problem has been fixed upstream in version Workaround ========== None. Description =========== matrix-synapse before 0.34.1 is vulnerable to private key recovery as synapse will attempt to derive a secret key from other secrets specified in the configuration file for "macaroon_secret_key". However, in all versions of Synapse up to and including 0.34.0, this process was faulty and a predictable value was used instead. Impact ====== If no private key is specified a predictable key is used allowing private key recover. References ==========