FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

dendrite -- Signature checks not applied to some retrieved missing events

Affected packages
dendrite < 0.9.8

Details

VuXML ID 4ebaa983-3299-11ed-95f8-901b0e9408dc
Discovery 2022-09-12
Entry 2022-09-12

Dendrite team reports:

Events retrieved from a remote homeserver using /get_missing_events did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint.

Note that this does not apply to events retrieved through other endpoints (e.g. /event, /state) as they have been correctly verified.

Homeservers that have federation disabled are not vulnerable.

References

URL https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c