Only openSUSE:Backports and openSUSE:Factory:

CVE-2022-41952

Synapse before 1.52.0 with URL preview functionality enabled will attempt to
generate URL previews for media stream URLs without properly limiting
connection
time. Connections will only be terminated after `max_spider_size` (default:
10M)
bytes have been downloaded, which can in some cases lead to long-lived
connections towards the streaming media server (for instance, Icecast). This
can
cause excessive traffic and connections toward such servers if their stream URL
is, for example, posted to a large room with many Synapse instances with URL
preview enabled. Version 1.52.0 implements a timeout mechanism which will
terminate URL preview connections after 30 seconds. Since generating URL
previews for media streams is not supported and always fails, 1.53.0
additionally implements an allow list for content types for which Synapse will
even attempt to generate a URL preview. Upgrade to 1.53.0 to fully resolve the
issue. As a workaround, turn off URL preview functionality by setting
`url_preview_enabled: false` in the Synapse configuration file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41952
https://www.cve.org/CVERecord?id=CVE-2022-41952
https://github.com/matrix-org/synapse/security/advisories/GHSA-4822-jvwx-w47h
https://github.com/matrix-org/synapse/pull/11936
https://github.com/matrix-org/synapse/releases/tag/v1.53.0
https://github.com/matrix-org/synapse/releases/tag/v1.52.0
https://github.com/matrix-org/synapse/pull/11784

Bug ID	1205669
Summary	VUL-0: CVE-2022-41952: matrix-synapse: URL preview functionality is not properly limiting connection time
Classification	openSUSE
Product	openSUSE Distribution
Version	Leap 15.4
Hardware	Other
URL	https://smash.suse.de/issue/348715/
OS	Other
Status	NEW
Severity	Normal
Priority	P5 - None
Component	Security
Assignee	okurz@suse.com
Reporter	abergmann@suse.com
QA Contact	security-team@suse.de
Found By	Security Response Team
Blocker	---