As you might have seen it on https://status.opensuse.org/ : the (synapse-)matrix service on matrix.o.o is currently down by intention. As the service configuration - and probably the whole setup - differs in comparison to the package containing the latest (security) fixes, we decided to turn the service off instead of risking anything. Now we're waiting for someone (you?) to update the service... Dear admins: please keep your services up-to date and secure all the time. We are already trying our best to keep the underlying OS up to date for you. But that does not help, if the admins of the services are not doing their job. Our current infrastructure policy[1] hasn't changed since 2020. So there shouldn't be anything new in it for our admins. -> please follow the rules. Regards, Lars [1]: https://en.opensuse.org/openSUSE:Infrastructure_policy
Damn, I just logged in there last week and forgot to update, I'm on it Am 27. November 2021 14:26:53 MEZ schrieb Lars Vogdt <lars@linux-schulserver.de>:
As you might have seen it on https://status.opensuse.org/ : the (synapse-)matrix service on matrix.o.o is currently down by intention.
As the service configuration - and probably the whole setup - differs in comparison to the package containing the latest (security) fixes, we decided to turn the service off instead of risking anything. Now we're waiting for someone (you?) to update the service...
Dear admins: please keep your services up-to date and secure all the time. We are already trying our best to keep the underlying OS up to date for you. But that does not help, if the admins of the services are not doing their job.
Our current infrastructure policy[1] hasn't changed since 2020. So there shouldn't be anything new in it for our admins. -> please follow the rules.
Regards, Lars
LCP [Sasi] https://lcp.world/
Hi Sasi I'm sorry to say, but: curl https://matrix.opensuse.org/_matrix/federation/v1/version | jq results in "server": { "name": "Synapse", "version": "1.46.0" } Synapse 1.47.1: This release fixes a security issue in the media store, affecting all prior releases of Synapse. Server administrators are encouraged to update Synapse as soon as possible. The issue is public at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41281 I convinced IT to not instantly power down the machine, as the (now enforced) Apparmor profile covers us for a while. But it gives a bad picture, if we report an application fixed and updated - while it is not. Can I ask you to check and finally deploy the security fix? Regards, Lars Am Sat, 27 Nov 2021 14:56:31 +0100 schrieb Sasi Olin <hellcp@opensuse.org>:
Damn, I just logged in there last week and forgot to update, I'm on it
Am 27. November 2021 14:26:53 MEZ schrieb Lars Vogdt <lars@linux-schulserver.de>:
As you might have seen it on https://status.opensuse.org/ : the (synapse-)matrix service on matrix.o.o is currently down by intention.
As the service configuration - and probably the whole setup - differs in comparison to the package containing the latest (security) fixes, we decided to turn the service off instead of risking anything. Now we're waiting for someone (you?) to update the service...
Dear admins: please keep your services up-to date and secure all the time. We are already trying our best to keep the underlying OS up to date for you. But that does not help, if the admins of the services are not doing their job.
Our current infrastructure policy[1] hasn't changed since 2020. So there shouldn't be anything new in it for our admins. -> please follow the rules.
Regards, Lars
LCP [Sasi] https://lcp.world/
On Thu, Dec 2 2021 at 10:02:52 AM +0100, Lars Vogdt <lars@linux-schulserver.de> wrote:
Hi Sasi
I'm sorry to say, but:
curl https://matrix.opensuse.org/_matrix/federation/v1/version | jq
results in "server": { "name": "Synapse", "version": "1.46.0" }
Synapse 1.47.1: This release fixes a security issue in the media store, affecting all prior releases of Synapse. Server administrators are encouraged to update Synapse as soon as possible.
The issue is public at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41281
I convinced IT to not instantly power down the machine, as the (now enforced) Apparmor profile covers us for a while. But it gives a bad picture, if we report an application fixed and updated - while it is not. Can I ask you to check and finally deploy the security fix?
Wrong default version of python3 used, resulting in an older version being used. I will fix that in a second
participants (2)
-
Lars Vogdt -
Sasi Olin