Advisories for Golang/Github.com/Matrix-Org/Dendrite package

Dendrite is a Matrix homeserver written in Go. In affected versions events retrieved from a remote homeserver using the /get_missing_events path does not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint. Note that this does not apply to events retrieved through other endpoints (e.g. /event, /state) as they have been correctly verified. Homeservers that have federation disabled …

gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the events_default key of the m.room.power_levels event, defaulting the event default power level to zero in all cases. Power levels are the matrix terminology for user access level. In rooms where the events_default power level had been changed, this …