Refuse requests and events signed by banned signing keys#19459
Merged
sandhose merged 2 commits intorelease-v1.147from Feb 12, 2026
Merged
Refuse requests and events signed by banned signing keys#19459sandhose merged 2 commits intorelease-v1.147from
sandhose merged 2 commits intorelease-v1.147from
Conversation
This was referenced Feb 16, 2026
mcalinghee
added a commit
to tchapgouv/synapse
that referenced
this pull request
Feb 16, 2026
- Block federation requests and events authenticated using a known insecure signing key. See [CVE-2026-24044](https://www.cve.org/CVERecord?id=CVE-2026-24044) / [ELEMENTSEC-2025-1670](GHSA-qwcj-h6m8-vp6q). ([\element-hq#19459](element-hq#19459)) # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCgAdFiEE7qit+jwB/tnnqkQqItYrhFUnGfwFAmmN9ucACgkQItYrhFUn # Gfxn0RAAphtPC/LnSaefBHgNNKN0cnFK6N9FvuvKyEkqKYQNNoCaAGW2NzmeFfcX # lPKCZWaABgCQUTxQWf2ck2VlGe3SwcLTUwcIjnlVs8uYP8JiTek8743Czx8T88M1 # TlotLgnH93nNudXOCXAThYbktrOZZtJM1E7AWJLUfQcUFS30ZbEgCYAmCuJ60OgL # jn80CKHQJxw9u1Hty1G9yN2j0gLjO4KRkSuQ7jc3ouG2Fx/HQZ8H1/zX/H4niClN # Y5VAPp0V0VN9KKV1xJXayDQ25ytAqkZvOpBnMIhHmCEFKElio3BlpjnlajsGfIqW # 6SKwmDczjrdKwbnOFtOFUzqs2LWm9RZOo8mrdDpb4uWiZ8ANnyffajrROzRGCI8d # 8NeOJKYl9fHZrEtAiZYPBYJNOtmW/+CtxckfOkBKri4i8ryDsXS2iER7LrMc2tyd # oZVVDLX2l74KLw4NziSxqheQVKFShSWBxuDb2AVk15BhoMZd7YcAP+VFtmf0ZtUD # XBaGQ+oWA4C2a8WSVHPXezSwt78sKcILH1bL6ZzUUen0k8bavjxW0xb3Db4F00D1 # P/SXHdN18XYdsjYcpC1b1zuUUVLD5wXnVj2fKAWlierokD1Y3Q6G6NREI/L4G350 # asu+ejyQrJn3VKoFtGccfGdvNlp8BKxCvWNXA/cy5042HUuSJiY= # =/PNG # -----END PGP SIGNATURE----- # gpg: Signature made Thu Feb 12 16:51:03 2026 CET # gpg: using RSA key EEA8ADFA3C01FED9E7AA442A22D62B84552719FC # gpg: Can't check signature: No public key # Conflicts: # .github/workflows/release-artifacts.yml # synapse/app/_base.py
mcalinghee
added a commit
to tchapgouv/synapse
that referenced
this pull request
Feb 16, 2026
- Block federation requests and events authenticated using a known insecure signing key. See [CVE-2026-24044](https://www.cve.org/CVERecord?id=CVE-2026-24044) / [ELEMENTSEC-2025-1670](GHSA-qwcj-h6m8-vp6q). ([\element-hq#19459](element-hq#19459)) # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCgAdFiEE7qit+jwB/tnnqkQqItYrhFUnGfwFAmmN9ucACgkQItYrhFUn # Gfxn0RAAphtPC/LnSaefBHgNNKN0cnFK6N9FvuvKyEkqKYQNNoCaAGW2NzmeFfcX # lPKCZWaABgCQUTxQWf2ck2VlGe3SwcLTUwcIjnlVs8uYP8JiTek8743Czx8T88M1 # TlotLgnH93nNudXOCXAThYbktrOZZtJM1E7AWJLUfQcUFS30ZbEgCYAmCuJ60OgL # jn80CKHQJxw9u1Hty1G9yN2j0gLjO4KRkSuQ7jc3ouG2Fx/HQZ8H1/zX/H4niClN # Y5VAPp0V0VN9KKV1xJXayDQ25ytAqkZvOpBnMIhHmCEFKElio3BlpjnlajsGfIqW # 6SKwmDczjrdKwbnOFtOFUzqs2LWm9RZOo8mrdDpb4uWiZ8ANnyffajrROzRGCI8d # 8NeOJKYl9fHZrEtAiZYPBYJNOtmW/+CtxckfOkBKri4i8ryDsXS2iER7LrMc2tyd # oZVVDLX2l74KLw4NziSxqheQVKFShSWBxuDb2AVk15BhoMZd7YcAP+VFtmf0ZtUD # XBaGQ+oWA4C2a8WSVHPXezSwt78sKcILH1bL6ZzUUen0k8bavjxW0xb3Db4F00D1 # P/SXHdN18XYdsjYcpC1b1zuUUVLD5wXnVj2fKAWlierokD1Y3Q6G6NREI/L4G350 # asu+ejyQrJn3VKoFtGccfGdvNlp8BKxCvWNXA/cy5042HUuSJiY= # =/PNG # -----END PGP SIGNATURE----- # gpg: Signature made Thu Feb 12 16:51:03 2026 CET # gpg: using RSA key EEA8ADFA3C01FED9E7AA442A22D62B84552719FC # gpg: Can't check signature: No public key # Conflicts: # .github/workflows/release-artifacts.yml # synapse/app/_base.py
mcalinghee
added a commit
to tchapgouv/synapse
that referenced
this pull request
Feb 16, 2026
- Block federation requests and events authenticated using a known insecure signing key. See [CVE-2026-24044](https://www.cve.org/CVERecord?id=CVE-2026-24044) / [ELEMENTSEC-2025-1670](GHSA-qwcj-h6m8-vp6q). ([\element-hq#19459](element-hq#19459)) # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCgAdFiEE7qit+jwB/tnnqkQqItYrhFUnGfwFAmmN9ucACgkQItYrhFUn # Gfxn0RAAphtPC/LnSaefBHgNNKN0cnFK6N9FvuvKyEkqKYQNNoCaAGW2NzmeFfcX # lPKCZWaABgCQUTxQWf2ck2VlGe3SwcLTUwcIjnlVs8uYP8JiTek8743Czx8T88M1 # TlotLgnH93nNudXOCXAThYbktrOZZtJM1E7AWJLUfQcUFS30ZbEgCYAmCuJ60OgL # jn80CKHQJxw9u1Hty1G9yN2j0gLjO4KRkSuQ7jc3ouG2Fx/HQZ8H1/zX/H4niClN # Y5VAPp0V0VN9KKV1xJXayDQ25ytAqkZvOpBnMIhHmCEFKElio3BlpjnlajsGfIqW # 6SKwmDczjrdKwbnOFtOFUzqs2LWm9RZOo8mrdDpb4uWiZ8ANnyffajrROzRGCI8d # 8NeOJKYl9fHZrEtAiZYPBYJNOtmW/+CtxckfOkBKri4i8ryDsXS2iER7LrMc2tyd # oZVVDLX2l74KLw4NziSxqheQVKFShSWBxuDb2AVk15BhoMZd7YcAP+VFtmf0ZtUD # XBaGQ+oWA4C2a8WSVHPXezSwt78sKcILH1bL6ZzUUen0k8bavjxW0xb3Db4F00D1 # P/SXHdN18XYdsjYcpC1b1zuUUVLD5wXnVj2fKAWlierokD1Y3Q6G6NREI/L4G350 # asu+ejyQrJn3VKoFtGccfGdvNlp8BKxCvWNXA/cy5042HUuSJiY= # =/PNG # -----END PGP SIGNATURE----- # gpg: Signature made Thu Feb 12 16:51:03 2026 CET # gpg: using RSA key EEA8ADFA3C01FED9E7AA442A22D62B84552719FC # gpg: Can't check signature: No public key # Conflicts: # .github/workflows/release-artifacts.yml # synapse/app/_base.py
mcalinghee
added a commit
to tchapgouv/synapse
that referenced
this pull request
Feb 16, 2026
- Block federation requests and events authenticated using a known insecure signing key. See [CVE-2026-24044](https://www.cve.org/CVERecord?id=CVE-2026-24044) / [ELEMENTSEC-2025-1670](GHSA-qwcj-h6m8-vp6q). ([\element-hq#19459](element-hq#19459)) # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCgAdFiEE7qit+jwB/tnnqkQqItYrhFUnGfwFAmmN9ucACgkQItYrhFUn # Gfxn0RAAphtPC/LnSaefBHgNNKN0cnFK6N9FvuvKyEkqKYQNNoCaAGW2NzmeFfcX # lPKCZWaABgCQUTxQWf2ck2VlGe3SwcLTUwcIjnlVs8uYP8JiTek8743Czx8T88M1 # TlotLgnH93nNudXOCXAThYbktrOZZtJM1E7AWJLUfQcUFS30ZbEgCYAmCuJ60OgL # jn80CKHQJxw9u1Hty1G9yN2j0gLjO4KRkSuQ7jc3ouG2Fx/HQZ8H1/zX/H4niClN # Y5VAPp0V0VN9KKV1xJXayDQ25ytAqkZvOpBnMIhHmCEFKElio3BlpjnlajsGfIqW # 6SKwmDczjrdKwbnOFtOFUzqs2LWm9RZOo8mrdDpb4uWiZ8ANnyffajrROzRGCI8d # 8NeOJKYl9fHZrEtAiZYPBYJNOtmW/+CtxckfOkBKri4i8ryDsXS2iER7LrMc2tyd # oZVVDLX2l74KLw4NziSxqheQVKFShSWBxuDb2AVk15BhoMZd7YcAP+VFtmf0ZtUD # XBaGQ+oWA4C2a8WSVHPXezSwt78sKcILH1bL6ZzUUen0k8bavjxW0xb3Db4F00D1 # P/SXHdN18XYdsjYcpC1b1zuUUVLD5wXnVj2fKAWlierokD1Y3Q6G6NREI/L4G350 # asu+ejyQrJn3VKoFtGccfGdvNlp8BKxCvWNXA/cy5042HUuSJiY= # =/PNG # -----END PGP SIGNATURE----- # gpg: Signature made Thu Feb 12 16:51:03 2026 CET # gpg: using RSA key EEA8ADFA3C01FED9E7AA442A22D62B84552719FC # gpg: Can't check signature: No public key # Conflicts: # .github/workflows/release-artifacts.yml # synapse/app/_base.py
mcalinghee
added a commit
to tchapgouv/synapse
that referenced
this pull request
Feb 16, 2026
- Block federation requests and events authenticated using a known insecure signing key. See [CVE-2026-24044](https://www.cve.org/CVERecord?id=CVE-2026-24044) / [ELEMENTSEC-2025-1670](GHSA-qwcj-h6m8-vp6q). ([\element-hq#19459](element-hq#19459)) # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCgAdFiEE7qit+jwB/tnnqkQqItYrhFUnGfwFAmmN9ucACgkQItYrhFUn # Gfxn0RAAphtPC/LnSaefBHgNNKN0cnFK6N9FvuvKyEkqKYQNNoCaAGW2NzmeFfcX # lPKCZWaABgCQUTxQWf2ck2VlGe3SwcLTUwcIjnlVs8uYP8JiTek8743Czx8T88M1 # TlotLgnH93nNudXOCXAThYbktrOZZtJM1E7AWJLUfQcUFS30ZbEgCYAmCuJ60OgL # jn80CKHQJxw9u1Hty1G9yN2j0gLjO4KRkSuQ7jc3ouG2Fx/HQZ8H1/zX/H4niClN # Y5VAPp0V0VN9KKV1xJXayDQ25ytAqkZvOpBnMIhHmCEFKElio3BlpjnlajsGfIqW # 6SKwmDczjrdKwbnOFtOFUzqs2LWm9RZOo8mrdDpb4uWiZ8ANnyffajrROzRGCI8d # 8NeOJKYl9fHZrEtAiZYPBYJNOtmW/+CtxckfOkBKri4i8ryDsXS2iER7LrMc2tyd # oZVVDLX2l74KLw4NziSxqheQVKFShSWBxuDb2AVk15BhoMZd7YcAP+VFtmf0ZtUD # XBaGQ+oWA4C2a8WSVHPXezSwt78sKcILH1bL6ZzUUen0k8bavjxW0xb3Db4F00D1 # P/SXHdN18XYdsjYcpC1b1zuUUVLD5wXnVj2fKAWlierokD1Y3Q6G6NREI/L4G350 # asu+ejyQrJn3VKoFtGccfGdvNlp8BKxCvWNXA/cy5042HUuSJiY= # =/PNG # -----END PGP SIGNATURE----- # gpg: Signature made Thu Feb 12 16:51:03 2026 CET # gpg: using RSA key EEA8ADFA3C01FED9E7AA442A22D62B84552719FC # gpg: Can't check signature: No public key # Conflicts: # .github/workflows/release-artifacts.yml # synapse/app/_base.py
github-merge-queue bot
pushed a commit
to famedly/synapse
that referenced
this pull request
Feb 18, 2026
# Famedly Synapse Release v1.147.1_1 depends on: famedly/complement#11 ## Famedly additions for v1.146.0_1 None ### Notes for Famedly: - Disallow requests to the health endpoint from containing trailing path characters. ([\#19405](element-hq/synapse#19405)) - Block federation requests and events authenticated using a known insecure signing key. See [CVE-2026-24044](https://www.cve.org/CVERecord?id=CVE-2026-24044) / [ELEMENTSEC-2025-1670](GHSA-qwcj-h6m8-vp6q). ([\#19459](element-hq/synapse#19459))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See https://github.com/element-hq/synapse-private/pull/102