CVE-2019-5885 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	No
Type	Private key recovery
Description	matrix-synapse before 0.34.1 is vulnerable to private key recovery as synapse will attempt to derive a secret key from other secrets specified in the configuration file for "macaroon_secret_key". However, in all versions of Synapse up to and including 0.34.0, this process was faulty and a predictable value was used instead.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-846	matrix-synapse	0.34.0-1	0.34.1.1-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
24 Jan 2019	ASA-201901-12	AVG-846	matrix-synapse	High	private key recovery

References
https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/