Accepting request 1113708 from network:messaging:matrix

- Update to 1.93.0
  The following issues are fixed in 1.93.0 (and RCs).
  GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity
  https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5
  Temporary storage of plaintext passwords during password changes.
  GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity
  https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x
  Improper validation of receipts allows forged read receipts.
  See the advisories for more details. If you have any questions, email security@matrix.org.

OBS-URL: https://build.opensuse.org/request/show/1113708
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/matrix-synapse?expand=0&rev=85

_service

@@ -4,11 +4,11 @@
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="url">https://github.com/matrix-org/synapse.git</param>
     <param name="scm">git</param>
-    <param name="revision">v1.91.2</param>
+    <param name="revision">v1.93.0</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="versionrewrite-replacement">\1</param>
     <!--
-    <param name="revision">v1.92.0rc1</param>
+    <param name="revision">v1.94.0rc1</param>
     <param name="versionrewrite-pattern">v([\.\d]+)(rc.*)</param>
     <param name="versionrewrite-replacement">\1~\2</param>
     -->

matrix-synapse-1.91.2.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8df6270da824c716c7855c1dbe4426801844378f369274ad9233dd5bc19e0cc2
-size 35482637

matrix-synapse-1.93.0.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f157afec4f14f73cb310e600cd21e5baa615e8a6ea2597a84fb33a542cb21bee
+size 35584013

matrix-synapse-test.spec

@@ -27,7 +27,7 @@
 
 %define         pkgname matrix-synapse
 Name:           %{pkgname}-test
-Version:        1.91.2
+Version:        1.93.0
 Release:        0
 Summary:        Test package for %{pkgname}
 License:        Apache-2.0

matrix-synapse.changes

@@ -1,3 +1,146 @@
+-------------------------------------------------------------------
+Tue Sep 26 17:35:26 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.93.0
+  The following issues are fixed in 1.93.0 (and RCs).
+
+  GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity
+  https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5
+
+  Temporary storage of plaintext passwords during password changes.
+
+  GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity
+  https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x
+
+  Improper validation of receipts allows forged read receipts.
+
+  See the advisories for more details. If you have any questions, email security@matrix.org.
+
+
+  - Features
+    - Add automatic purge after all users have forgotten a room.
+      (#15488)
+    - Restore room purge/shutdown after a Synapse restart. (#15488)
+    - Support resolving homeservers using matrix-fed DNS SRV
+      records from MSC4040. (#16137)
+    - Add the ability to use G (GiB) and T (TiB) suffixes in
+      configuration options that refer to numbers of bytes.
+      (#16219)
+    - Add span information to requests sent to appservices.
+      Contributed by MTRNord. (#16227)
+    - Add the ability to enable/disable registrations when using
+      CAS. Contributed by Aurélien Grimpard. (#16262)
+    - Allow the /notifications endpoint to be routed to workers.
+      (#16265)
+    - Enable users to easily unsubscribe to notifications emails
+      via the List-Unsubscribe header. (#16274)
+    - Report whether a user is locked in the List Accounts admin
+      API, and exclude locked users by default. (#16328)
+  - Bugfixes
+    - Fix a long-standing bug where multi-device accounts could
+      cause high load due to presence. (#16066, #16170, #16171,
+      #16172, #16174)
+    - Fix a long-standing bug where appservices using MSC2409 to
+      receive to_device messages would only get messages for one
+      user. (#16251)
+    - Fix bug when using workers where Synapse could end up
+      re-requesting the same remote device repeatedly. (#16252)
+    - Fix long-standing bug where we kept re-requesting a remote
+      server's key repeatedly, potentially causing delays in
+      receiving events over federation. (#16257)
+    - Avoid temporary storage of sensitive information. (#16272)
+    - Fix bug introduced in Synapse 1.49.0 when using dehydrated
+      devices (MSC2697) and refresh tokens. Contributed by Hanadi.
+      (#16288)
+    - Fix a long-standing bug where invalid receipts would be
+      accepted. (#16327)
+    - Use standard name for UTF-8 charset in emails. (#16329)
+    - Don't try refetching device lists for users on remote hosts
+      that are marked as "down". (#16298)
+  - Improved Documentation
+    - Fix typos in the documentation. (#16282)
+    - Link to the Alpine Linux community package for Synapse.
+      (#16304)
+    - Use string for federation_client_minimum_tls_version
+      documentation examples. Contributed by @jcgruenhage. (#16353)
+  - Internal Changes
+    - Allow modules to delete rooms. (#15997)
+    - Add GCC and GNU Make to the Nix flake development environment
+      so that ruff can be compiled. (#16090, #16263)
+    - Fix type checking when using the new version of Twisted.
+      (#16235)
+    - Delete device messages asynchronously and in staged batches
+      using the task scheduler. (#16240, #16311, #16312, #16313)
+    - Bump minimum supported Rust version to 1.61.0. (#16248)
+    - Update rust to version 1.71.1 in the nix development
+      environment. (#16260)
+    - Simplify server key storage. (#16261)
+    - Reduce CPU overhead of change password endpoint. (#16264)
+    - Stop purging from tables slated for removal. (#16273)
+    - Improve type hints. (#16276, #16301, #16325, #16326)
+    - Raise setuptools_rust version cap to 1.7.0. (#16277)
+    - Fix using the new task scheduler causing lots of CPU to be
+      used. (#16278)
+    - Upgrade CI run of Python 3.12 from rc1 to rc2. (#16280)
+    - Include values in SQL debug when using execute_values with
+      Postgres. (#16281)
+    - Enable additional linting checks. (#16283)
+    - Refactor receipts_graph Postgres transactions to stop error
+      messages. (#16299)
+    - Small improvements to logging in replication code. (#16309)
+    - Remove a reference cycle in background processes. (#16314)
+    - Only use literal strings for background process names.
+      (#16315)
+    - Refactor get_user_by_id. (#16316)
+    - Speed up task to delete to-device messages. (#16318)
+    - Avoid patching code in tests. (#16349)
+    - Test against PostgreSQL 16. (#16351)
+
+-------------------------------------------------------------------
+Mon Sep 25 23:09:42 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.92.3
+  This release does not affect openSUSE as we do not use the intree
+  libwebp
+
+  Upstream changes:
+  This is again a security update targeted at mitigating
+  CVE-2023-4863. It turns out that libwebp is bundled statically in
+  Pillow wheels so we need to update this dependency instead of
+  libwebp package at the OS level.
+
+  Unlike what was advertised in 1.92.2 changelog this release also
+  impacts PyPI wheels and Debian packages from matrix.org.
+
+  We encourage admins to upgrade as soon as possible.
+
+  Internal Changes
+  - Pillow 10.0.1 is now mandatory because of libwebp
+    CVE-2023-4863, since Pillow provides libwebp in the wheels.
+    (#16347)
+- bump all the dependencies which are not available in tumbleweed.
+
+-------------------------------------------------------------------
+Fri Sep 15 13:57:20 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.92.2
+  Only fix in this is actually changing the upstream docker
+  configuration to mitigate the webp security bug. Does not affect
+  our package.
+
+-------------------------------------------------------------------
+Tue Sep 12 20:21:04 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.92.1
+  - Bugfixes
+    - Revert MSC3861 introspection cache, admin impersonation and
+      account lock. (#16258)
+  - Internal Changes
+    - Fix incorrect docstring for Ratelimiter. (#16255)
+    - Update the release script to work on macOS. (#16266)
+    - Stop building Ubuntu Kinetic since it is EOL and repos seem
+      to be dead.
+
 -------------------------------------------------------------------
 Wed Sep  6 20:43:15 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
 

matrix-synapse.obsinfo

@@ -1,4 +1,4 @@
 name: matrix-synapse
-version: 1.91.2
+version: 1.93.0
-mtime: 1694013057
+mtime: 1695740214
-commit: 9de615b3aa4f20cab182cf3822943b9465a30643
+commit: 88ba67eb91215a708f321e16559fe3c2c0d0a407

matrix-synapse.spec

@@ -21,17 +21,14 @@
 # NOTE: Keep this is in the same order as pyproject.toml.
 %if %{with use_poetry_for_dependencies}
 %global Jinja2_version                3.1.2
-# TODO: 10.0.0
+%global Pillow_version                10.0.1
-%global Pillow_version                9.5.0
+%global PyYAML_version                6.0.1
-# TODO: 6.0.1
-%global PyYAML_version                6.0
 %global Twisted_version               22.10.0
 %global attrs_version                 23.1.0
 %global bcrypt_version                4.0.1
 %global bleach_version                5.0.1
 %global canonicaljson_version         2.0.0
-# TODO: 41.0.3
+%global cryptography_version          41.0.3
-%global cryptography_version          41.0.2
 %global immutabledict_version         3.0.0
 %global idna_version                  3.4
 %global ijson_version                 3.2.3
@@ -41,15 +38,14 @@
 %global matrix_common_max_version     2
 %global msgpack_version               1.0.5
 %global netaddr_version               0.8.0
-# TODO: 8.13.14
+# TODO: 8.13.19
 %global phonenumbers_version          8.13.18
 # TODO: 0.17.1
 %global prometheus_client_version     0.17.0
 %global psutil_version                2.0.0
 %global pyOpenSSL_version             23.0.0
 %global pyasn1_version                0.5.0
-# TODO 0.3.0
+%global pyasn1_modules_version        0.3.0
-%global pyasn1_modules_version        0.2.8
 %global pymacaroons_version           0.13.0
 %global service_identity_version      23.1.0
 %global signedjson_version            1.1.4
@@ -61,13 +57,12 @@
 %global unpaddedbase64_version        2.1.0
 %global matrix_synapse_ldap3_version  0.2.2
 %global packaging_version             23.1
-%global psycopg2_version              2.9.6
+%global psycopg2_version              2.9.7
 # TODO             7.3.1
 %global pysaml2_version               7.2.1
 %global Authlib_version               1.2.1
-# TODO             4.9.3
+%global lxml_version                  4.9.3
-%global lxml_version                  4.9.2
+%global sentry_sdk_version            1.30.0
-%global sentry_sdk_version            1.29.2
 %global PyJWT_version                 2.4.0
 %global jaeger_client_version         4.8.0
 %global opentracing_version           2.4.0
@@ -76,12 +71,11 @@
 %global txredisapi_version            1.4.9
 %global Pympler_version               1.0.1
 %global pydantic_version              1.9.1
-# TODO: 2.10.2
+%global pyicu_version                 2.11
-%global pyicu_version                 2.10.2
 %else
 # some version locks based on poetry.lock
 %global Jinja2_version                3.0
-%global Pillow_version                5.4.0
+%global Pillow_version                10.0.1
 %global PyYAML_version                3.13
 %global Twisted_version               18.9.0
 %global attrs_version                 21.1.1
@@ -160,7 +154,7 @@
 %define         pkgname matrix-synapse
 %define         eggname matrix_synapse
 Name:           %{pkgname}
-Version:        1.91.2
+Version:        1.93.0
 Release:        0
 Summary:        Matrix protocol reference homeserver
 License:        Apache-2.0
@@ -194,11 +188,11 @@ BuildRequires:  systemd-rpm-macros
 BuildRequires:  sysuser-shadow
 BuildRequires:  sysuser-tools
 BuildRequires:  unzip
-BuildRequires:  (%{use_python}-poetry-core >= 1.0.0 with %{use_python}-poetry-core =< 1.7.0)
+BuildRequires:  (%{use_python}-poetry-core >= 1.1.0 with %{use_python}-poetry-core =< 1.7.0)
 %{?systemd_ordering}
 %{sysusers_requires}
 %requires_peq   %{use_python}-base
-BuildRequires:  (%{use_python}-setuptools-rust >= 1.3 with %{use_python}-setuptools-rust =< 1.6.0)
+BuildRequires:  (%{use_python}-setuptools-rust >= 1.3 with %{use_python}-setuptools-rust =< 1.7.0)
 # NOTE: Keep this is in the same order as pyproject.toml.
 # some version locks based on poetry.lock
 BuildRequires:  %{use_python}-Jinja2 >= %{Jinja2_version}

vendor.tar.zst

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:ff32dd13fbe8c28fc0a31caeabf132296d4f72f17f84da2f2fcb8b89f0738ba8
+oid sha256:2da7c77d5281c44f4627669634dedb57e1a57fb35314306aff79d8f6b7d7466b
-size 5740177
+size 5765828