From 3548a07d65511a47b0e147b8f476f3355542606e9293a20be60e373f3d91266f Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Mon, 25 Sep 2023 23:13:20 +0000 Subject: [PATCH 1/2] Accepting request 1113560 from home:darix:apps - Update to 1.92.3 This release does not affect openSUSE as we do not use the intree libwebp Upstream changes: This is again a security update targeted at mitigating CVE-2023-4863. It turns out that libwebp is bundled statically in Pillow wheels so we need to update this dependency instead of libwebp package at the OS level. Unlike what was advertised in 1.92.2 changelog this release also impacts PyPI wheels and Debian packages from matrix.org. We encourage admins to upgrade as soon as possible. Internal Changes - Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels. (#16347) - bump all the dependencies which are not available in tumbleweed. - Update to 1.92.2 Only fix in this is actually changing the upstream docker configuration to mitigate the webp security bug. Does not affect our package. - Update to 1.92.1 - Bugfixes - Revert MSC3861 introspection cache, admin impersonation and account lock. (#16258) - Internal Changes - Fix incorrect docstring for Ratelimiter. (#16255) - Update the release script to work on macOS. (#16266) - Stop building Ubuntu Kinetic since it is EOL and repos seem OBS-URL: https://build.opensuse.org/request/show/1113560 OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=287 --- _service | 4 ++-- matrix-synapse-1.91.2.obscpio | 3 --- matrix-synapse-1.92.3.obscpio | 3 +++ matrix-synapse-test.spec | 2 +- matrix-synapse.changes | 45 +++++++++++++++++++++++++++++++++++ matrix-synapse.obsinfo | 6 ++--- matrix-synapse.spec | 30 ++++++++++------------- vendor.tar.zst | 4 ++-- 8 files changed, 68 insertions(+), 29 deletions(-) delete mode 100644 matrix-synapse-1.91.2.obscpio create mode 100644 matrix-synapse-1.92.3.obscpio diff --git a/_service b/_service index f77625c..51fea58 100644 --- a/_service +++ b/_service @@ -4,11 +4,11 @@ @PARENT_TAG@ https://github.com/matrix-org/synapse.git git - v1.91.2 + v1.92.3 v(.*) \1 diff --git a/matrix-synapse-1.91.2.obscpio b/matrix-synapse-1.91.2.obscpio deleted file mode 100644 index ecfa6cd..0000000 --- a/matrix-synapse-1.91.2.obscpio +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8df6270da824c716c7855c1dbe4426801844378f369274ad9233dd5bc19e0cc2 -size 35482637 diff --git a/matrix-synapse-1.92.3.obscpio b/matrix-synapse-1.92.3.obscpio new file mode 100644 index 0000000..2df173d --- /dev/null +++ b/matrix-synapse-1.92.3.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:90148eebf7b4080ec4426230d6769155e9d6e4bdbce77c5d164cc1df2a21c046 +size 35512845 diff --git a/matrix-synapse-test.spec b/matrix-synapse-test.spec index 0a00ce1..bc88f06 100644 --- a/matrix-synapse-test.spec +++ b/matrix-synapse-test.spec @@ -27,7 +27,7 @@ %define pkgname matrix-synapse Name: %{pkgname}-test -Version: 1.91.2 +Version: 1.92.3 Release: 0 Summary: Test package for %{pkgname} License: Apache-2.0 diff --git a/matrix-synapse.changes b/matrix-synapse.changes index 8ce5ed7..e053626 100644 --- a/matrix-synapse.changes +++ b/matrix-synapse.changes @@ -1,3 +1,48 @@ +------------------------------------------------------------------- +Mon Sep 25 23:09:42 UTC 2023 - Marcus Rueckert + +- Update to 1.92.3 + This release does not affect openSUSE as we do not use the intree + libwebp + + Upstream changes: + This is again a security update targeted at mitigating + CVE-2023-4863. It turns out that libwebp is bundled statically in + Pillow wheels so we need to update this dependency instead of + libwebp package at the OS level. + + Unlike what was advertised in 1.92.2 changelog this release also + impacts PyPI wheels and Debian packages from matrix.org. + + We encourage admins to upgrade as soon as possible. + + Internal Changes + - Pillow 10.0.1 is now mandatory because of libwebp + CVE-2023-4863, since Pillow provides libwebp in the wheels. + (#16347) +- bump all the dependencies which are not available in tumbleweed. + +------------------------------------------------------------------- +Fri Sep 15 13:57:20 UTC 2023 - Marcus Rueckert + +- Update to 1.92.2 + Only fix in this is actually changing the upstream docker + configuration to mitigate the webp security bug. Does not affect + our package. + +------------------------------------------------------------------- +Tue Sep 12 20:21:04 UTC 2023 - Marcus Rueckert + +- Update to 1.92.1 + - Bugfixes + - Revert MSC3861 introspection cache, admin impersonation and + account lock. (#16258) + - Internal Changes + - Fix incorrect docstring for Ratelimiter. (#16255) + - Update the release script to work on macOS. (#16266) + - Stop building Ubuntu Kinetic since it is EOL and repos seem + to be dead. + ------------------------------------------------------------------- Wed Sep 6 20:43:15 UTC 2023 - Marcus Rueckert diff --git a/matrix-synapse.obsinfo b/matrix-synapse.obsinfo index 0322580..9ef1f66 100644 --- a/matrix-synapse.obsinfo +++ b/matrix-synapse.obsinfo @@ -1,4 +1,4 @@ name: matrix-synapse -version: 1.91.2 -mtime: 1694013057 -commit: 9de615b3aa4f20cab182cf3822943b9465a30643 +version: 1.92.3 +mtime: 1695044157 +commit: e36990c00e201b35b62a91991be15c35edb20d8d diff --git a/matrix-synapse.spec b/matrix-synapse.spec index 9be9974..9a768b3 100644 --- a/matrix-synapse.spec +++ b/matrix-synapse.spec @@ -21,17 +21,14 @@ # NOTE: Keep this is in the same order as pyproject.toml. %if %{with use_poetry_for_dependencies} %global Jinja2_version 3.1.2 -# TODO: 10.0.0 -%global Pillow_version 9.5.0 -# TODO: 6.0.1 -%global PyYAML_version 6.0 +%global Pillow_version 10.0.1 +%global PyYAML_version 6.0.1 %global Twisted_version 22.10.0 %global attrs_version 23.1.0 %global bcrypt_version 4.0.1 %global bleach_version 5.0.1 %global canonicaljson_version 2.0.0 -# TODO: 41.0.3 -%global cryptography_version 41.0.2 +%global cryptography_version 41.0.3 %global immutabledict_version 3.0.0 %global idna_version 3.4 %global ijson_version 3.2.3 @@ -41,15 +38,14 @@ %global matrix_common_max_version 2 %global msgpack_version 1.0.5 %global netaddr_version 0.8.0 -# TODO: 8.13.14 +# TODO: 8.13.19 %global phonenumbers_version 8.13.18 # TODO: 0.17.1 %global prometheus_client_version 0.17.0 %global psutil_version 2.0.0 %global pyOpenSSL_version 23.0.0 %global pyasn1_version 0.5.0 -# TODO 0.3.0 -%global pyasn1_modules_version 0.2.8 +%global pyasn1_modules_version 0.3.0 %global pymacaroons_version 0.13.0 %global service_identity_version 23.1.0 %global signedjson_version 1.1.4 @@ -61,13 +57,12 @@ %global unpaddedbase64_version 2.1.0 %global matrix_synapse_ldap3_version 0.2.2 %global packaging_version 23.1 -%global psycopg2_version 2.9.6 +%global psycopg2_version 2.9.7 # TODO 7.3.1 %global pysaml2_version 7.2.1 %global Authlib_version 1.2.1 -# TODO 4.9.3 -%global lxml_version 4.9.2 -%global sentry_sdk_version 1.29.2 +%global lxml_version 4.9.3 +%global sentry_sdk_version 1.30.0 %global PyJWT_version 2.4.0 %global jaeger_client_version 4.8.0 %global opentracing_version 2.4.0 @@ -76,12 +71,11 @@ %global txredisapi_version 1.4.9 %global Pympler_version 1.0.1 %global pydantic_version 1.9.1 -# TODO: 2.10.2 -%global pyicu_version 2.10.2 +%global pyicu_version 2.11 %else # some version locks based on poetry.lock %global Jinja2_version 3.0 -%global Pillow_version 5.4.0 +%global Pillow_version 10.0.1 %global PyYAML_version 3.13 %global Twisted_version 18.9.0 %global attrs_version 21.1.1 @@ -160,7 +154,7 @@ %define pkgname matrix-synapse %define eggname matrix_synapse Name: %{pkgname} -Version: 1.91.2 +Version: 1.92.3 Release: 0 Summary: Matrix protocol reference homeserver License: Apache-2.0 @@ -198,7 +192,7 @@ BuildRequires: (%{use_python}-poetry-core >= 1.0.0 with %{use_python}-poetry-co %{?systemd_ordering} %{sysusers_requires} %requires_peq %{use_python}-base -BuildRequires: (%{use_python}-setuptools-rust >= 1.3 with %{use_python}-setuptools-rust =< 1.6.0) +BuildRequires: (%{use_python}-setuptools-rust >= 1.3 with %{use_python}-setuptools-rust =< 1.7.0) # NOTE: Keep this is in the same order as pyproject.toml. # some version locks based on poetry.lock BuildRequires: %{use_python}-Jinja2 >= %{Jinja2_version} diff --git a/vendor.tar.zst b/vendor.tar.zst index f8d692f..b96fdd9 100644 --- a/vendor.tar.zst +++ b/vendor.tar.zst @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:ff32dd13fbe8c28fc0a31caeabf132296d4f72f17f84da2f2fcb8b89f0738ba8 -size 5740177 +oid sha256:7b26ed3c343eb29af62e73dadc59813a8a3e142c62208b906a525fef27b56078 +size 5755545 From fd426452c9f29a13e52a5d72b8ef23bb69bd1cde1e28bce141a422e081dafea8 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Tue, 26 Sep 2023 17:40:26 +0000 Subject: [PATCH 2/2] Accepting request 1113707 from home:darix:apps - Update to 1.93.0 OBS-URL: https://build.opensuse.org/request/show/1113707 OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=288 --- _service | 4 +- matrix-synapse-1.92.3.obscpio | 3 -- matrix-synapse-1.93.0.obscpio | 3 ++ matrix-synapse-test.spec | 2 +- matrix-synapse.changes | 98 +++++++++++++++++++++++++++++++++++ matrix-synapse.obsinfo | 6 +-- matrix-synapse.spec | 4 +- vendor.tar.zst | 4 +- 8 files changed, 111 insertions(+), 13 deletions(-) delete mode 100644 matrix-synapse-1.92.3.obscpio create mode 100644 matrix-synapse-1.93.0.obscpio diff --git a/_service b/_service index 51fea58..d4d9fae 100644 --- a/_service +++ b/_service @@ -4,11 +4,11 @@ @PARENT_TAG@ https://github.com/matrix-org/synapse.git git - v1.92.3 + v1.93.0 v(.*) \1 diff --git a/matrix-synapse-1.92.3.obscpio b/matrix-synapse-1.92.3.obscpio deleted file mode 100644 index 2df173d..0000000 --- a/matrix-synapse-1.92.3.obscpio +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:90148eebf7b4080ec4426230d6769155e9d6e4bdbce77c5d164cc1df2a21c046 -size 35512845 diff --git a/matrix-synapse-1.93.0.obscpio b/matrix-synapse-1.93.0.obscpio new file mode 100644 index 0000000..80e6c1a --- /dev/null +++ b/matrix-synapse-1.93.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f157afec4f14f73cb310e600cd21e5baa615e8a6ea2597a84fb33a542cb21bee +size 35584013 diff --git a/matrix-synapse-test.spec b/matrix-synapse-test.spec index bc88f06..2719a64 100644 --- a/matrix-synapse-test.spec +++ b/matrix-synapse-test.spec @@ -27,7 +27,7 @@ %define pkgname matrix-synapse Name: %{pkgname}-test -Version: 1.92.3 +Version: 1.93.0 Release: 0 Summary: Test package for %{pkgname} License: Apache-2.0 diff --git a/matrix-synapse.changes b/matrix-synapse.changes index e053626..18bb1bf 100644 --- a/matrix-synapse.changes +++ b/matrix-synapse.changes @@ -1,3 +1,101 @@ +------------------------------------------------------------------- +Tue Sep 26 17:35:26 UTC 2023 - Marcus Rueckert + +- Update to 1.93.0 + The following issues are fixed in 1.93.0 (and RCs). + + GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity + https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5 + + Temporary storage of plaintext passwords during password changes. + + GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity + https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x + + Improper validation of receipts allows forged read receipts. + + See the advisories for more details. If you have any questions, email security@matrix.org. + + + - Features + - Add automatic purge after all users have forgotten a room. + (#15488) + - Restore room purge/shutdown after a Synapse restart. (#15488) + - Support resolving homeservers using matrix-fed DNS SRV + records from MSC4040. (#16137) + - Add the ability to use G (GiB) and T (TiB) suffixes in + configuration options that refer to numbers of bytes. + (#16219) + - Add span information to requests sent to appservices. + Contributed by MTRNord. (#16227) + - Add the ability to enable/disable registrations when using + CAS. Contributed by Aurélien Grimpard. (#16262) + - Allow the /notifications endpoint to be routed to workers. + (#16265) + - Enable users to easily unsubscribe to notifications emails + via the List-Unsubscribe header. (#16274) + - Report whether a user is locked in the List Accounts admin + API, and exclude locked users by default. (#16328) + - Bugfixes + - Fix a long-standing bug where multi-device accounts could + cause high load due to presence. (#16066, #16170, #16171, + #16172, #16174) + - Fix a long-standing bug where appservices using MSC2409 to + receive to_device messages would only get messages for one + user. (#16251) + - Fix bug when using workers where Synapse could end up + re-requesting the same remote device repeatedly. (#16252) + - Fix long-standing bug where we kept re-requesting a remote + server's key repeatedly, potentially causing delays in + receiving events over federation. (#16257) + - Avoid temporary storage of sensitive information. (#16272) + - Fix bug introduced in Synapse 1.49.0 when using dehydrated + devices (MSC2697) and refresh tokens. Contributed by Hanadi. + (#16288) + - Fix a long-standing bug where invalid receipts would be + accepted. (#16327) + - Use standard name for UTF-8 charset in emails. (#16329) + - Don't try refetching device lists for users on remote hosts + that are marked as "down". (#16298) + - Improved Documentation + - Fix typos in the documentation. (#16282) + - Link to the Alpine Linux community package for Synapse. + (#16304) + - Use string for federation_client_minimum_tls_version + documentation examples. Contributed by @jcgruenhage. (#16353) + - Internal Changes + - Allow modules to delete rooms. (#15997) + - Add GCC and GNU Make to the Nix flake development environment + so that ruff can be compiled. (#16090, #16263) + - Fix type checking when using the new version of Twisted. + (#16235) + - Delete device messages asynchronously and in staged batches + using the task scheduler. (#16240, #16311, #16312, #16313) + - Bump minimum supported Rust version to 1.61.0. (#16248) + - Update rust to version 1.71.1 in the nix development + environment. (#16260) + - Simplify server key storage. (#16261) + - Reduce CPU overhead of change password endpoint. (#16264) + - Stop purging from tables slated for removal. (#16273) + - Improve type hints. (#16276, #16301, #16325, #16326) + - Raise setuptools_rust version cap to 1.7.0. (#16277) + - Fix using the new task scheduler causing lots of CPU to be + used. (#16278) + - Upgrade CI run of Python 3.12 from rc1 to rc2. (#16280) + - Include values in SQL debug when using execute_values with + Postgres. (#16281) + - Enable additional linting checks. (#16283) + - Refactor receipts_graph Postgres transactions to stop error + messages. (#16299) + - Small improvements to logging in replication code. (#16309) + - Remove a reference cycle in background processes. (#16314) + - Only use literal strings for background process names. + (#16315) + - Refactor get_user_by_id. (#16316) + - Speed up task to delete to-device messages. (#16318) + - Avoid patching code in tests. (#16349) + - Test against PostgreSQL 16. (#16351) + ------------------------------------------------------------------- Mon Sep 25 23:09:42 UTC 2023 - Marcus Rueckert diff --git a/matrix-synapse.obsinfo b/matrix-synapse.obsinfo index 9ef1f66..e108d44 100644 --- a/matrix-synapse.obsinfo +++ b/matrix-synapse.obsinfo @@ -1,4 +1,4 @@ name: matrix-synapse -version: 1.92.3 -mtime: 1695044157 -commit: e36990c00e201b35b62a91991be15c35edb20d8d +version: 1.93.0 +mtime: 1695740214 +commit: 88ba67eb91215a708f321e16559fe3c2c0d0a407 diff --git a/matrix-synapse.spec b/matrix-synapse.spec index 9a768b3..a635cff 100644 --- a/matrix-synapse.spec +++ b/matrix-synapse.spec @@ -154,7 +154,7 @@ %define pkgname matrix-synapse %define eggname matrix_synapse Name: %{pkgname} -Version: 1.92.3 +Version: 1.93.0 Release: 0 Summary: Matrix protocol reference homeserver License: Apache-2.0 @@ -188,7 +188,7 @@ BuildRequires: systemd-rpm-macros BuildRequires: sysuser-shadow BuildRequires: sysuser-tools BuildRequires: unzip -BuildRequires: (%{use_python}-poetry-core >= 1.0.0 with %{use_python}-poetry-core =< 1.7.0) +BuildRequires: (%{use_python}-poetry-core >= 1.1.0 with %{use_python}-poetry-core =< 1.7.0) %{?systemd_ordering} %{sysusers_requires} %requires_peq %{use_python}-base diff --git a/vendor.tar.zst b/vendor.tar.zst index b96fdd9..12afce8 100644 --- a/vendor.tar.zst +++ b/vendor.tar.zst @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:7b26ed3c343eb29af62e73dadc59813a8a3e142c62208b906a525fef27b56078 -size 5755545 +oid sha256:2da7c77d5281c44f4627669634dedb57e1a57fb35314306aff79d8f6b7d7466b +size 5765828