fix(element): Update Synapse to 1.127.1; Fixes https://www.cve.org/CVERecord?id=CVE-2025-30355 which applies to Synapse installations with unrestricted (no allow list) federation enabled

2025-12-06 07:21:36 +01:00 · 2025-03-27 08:18:59 +01:00
parent f758685a2e
commit 5cd12b91c7
5 changed files with 24 additions and 12 deletions
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -18,6 +18,8 @@ SPDX-License-Identifier: Apache-2.0
  * [OpenProject](#openproject)
  * [PostgreSQL](#postgresql)
  * [Keycloak](#keycloak)
+    * [Setting the log level](#setting-the-log-level)
+    * [Accessing the Keycloak admin console](#accessing-the-keycloak-admin-console)
 <!-- TOC -->

 # Disclaimer
@@ -198,6 +200,8 @@ While you will find all details in the [psql subsection](https://www.postgresql.

 ## Keycloak

+### Setting the log level
+
 Keycloak is the gateway to integrate other authentication management systems or applications. It can be desired to
 avoid enabling debug mode for the whole platform when you just need to look into Keycloak.

@@ -214,3 +218,9 @@ kubectl patch -n ${NAMESPACE} configmap ${CONFIGMAP_NAME} --type merge -p '{"dat

 > **Note**<br>
 > As the `ums-keycloak-extensions-handler` is performing frequent (one per second) requests to Keycloak for retrieval of the Keycloak event history, you might want to stop/remove the deployment while debugging/analysing Keycloak to not get your debug output spammed by these requests.
+
+### Accessing the Keycloak admin console
+
+Deployments set to `debug.enable: true` expose the Keycloak admin console at `http://id.<your_opendesk_domain>/admin/`. This can also be achieved by updating the Ingress `ums-keycloak-extensions-proxy` with an additional path that allows access to `/admin/`.
+
+The admin console login is using the default Keycloak admin account `kcadmin` and the password from the secret `ums-opendesk-keycloak-credentials`.
--- a/docs/enhanced-configuration/idp-federation.md
+++ b/docs/enhanced-configuration/idp-federation.md
@@ -28,10 +28,10 @@ This document shows how to configure your organization's IdP and the openDesk Id

 We would like to list successful IdP federation scenarios, so we are also happy about input from the community:

-| External IdP                                                        | last openDesk version tested |
-| ------------------------------------------------------------------- | ---------------------------- |
-| [EU Login](https://webgate.ec.europa.eu/cas/userdata/myAccount.cgi) | v0.9.0                       |
-| [ProConnect](https://www.proconnect.gouv.fr/)                       | v0.9.0                       |
+| External IdP                                                        | openDesk versions tested |
+|---------------------------------------------------------------------|--------------------------|
+| [EU Login](https://webgate.ec.europa.eu/cas/userdata/myAccount.cgi) | v0.9.0, v1.2.0           |
+| [ProConnect](https://www.proconnect.gouv.fr/)                       | v0.9.0                   |

 # Prerequisites

--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -109,7 +109,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "6.1.2"
+    version: "6.1.3"
    verify: true
  elementWellKnown:
    # providerCategory: "Platform"
@@ -119,7 +119,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "6.1.2"
+    version: "6.1.3"
    verify: true
  home:
    # providerCategory: "Platform"
@@ -211,7 +211,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-matrix-user-verification-service"
-    version: "6.1.2"
+    version: "6.1.3"
    verify: true
  memcached:
    # providerCategory: "Community"
@@ -449,7 +449,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "6.1.2"
+    version: "6.1.3"
    verify: true
  synapseAdmin:
    # Enterprise Component
@@ -477,7 +477,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
-    version: "6.1.2"
+    version: "6.1.3"
    verify: true
  synapseGroupsync:
    # Enterprise Component
@@ -505,7 +505,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "6.1.2"
+    version: "6.1.3"
    verify: true
  xwiki:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -933,7 +933,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "91", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
-    tag: "v1.121.1@sha256:5d8081b6004eb115635334dbc1ec2f87318f19d5ad0e7c62f7476d4cc16de277"
+    tag: "v1.127.1@sha256:0b0b933314ac9e1ba917a72c29d5b49c47828ab6e8df3aae3ac244ee947a89fc"
  synapseCreateUser:
    # providerCategory: "Community"
    # providerResponsible: "Nordeck"
--- a/helmfile/files/theme/portal/stylesheet.css
+++ b/helmfile/files/theme/portal/stylesheet.css
@@ -136,7 +136,9 @@
 #kc-login,
 #kc-logout,
 #saveTOTPBtn,
-.pf-c-button.btn-lg {
+.pf-c-button.btn-lg,
+.kc-social-provider-name
+{
  color: var(--color-opendesk-white);
  border: 2px solid;
 }