This is the Synapse portion of the Matrix coordinated security
release. This release includes support for room version 12 which
fixes a number of security vulnerabilities, including
CVE-2025-49090.
The default room version is not changed. Not all clients will
support room version 12 immediately, and not all users will be
using the latest version of their clients. Large, public rooms
are advised to wait a few weeks before upgrading to room version
12 to allow users throughout the Matrix ecosystem to update their
clients.
- Bugfixes
- Fix invalidation of storage cache that was broken in 1.135.0.
(#18786)
- Internal Changes
- Add a parameter to upgrade_rooms(..) to allow auto join local
users. (#82)
- Speed up upgrading a room with large numbers of banned users.
(#18574)
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=397
Forwarded request #1289571 from darix
- Update to 1.133.0
- Features
- Add support for the MSC4260 user report API. (#18120)
- Bugfixes
- Fix an issue where, during state resolution for v11 rooms,
Synapse would incorrectly calculate the power level of the
creator when there was no power levels event in the room.
(#18534, #18547)
- Fix long-standing bug where sliding sync did not honour the
room_id_to_include config option. (#18535)
- Fix an issue where "Lock timeout is getting excessive"
warnings would be logged even when the lock timeout was <10
minutes. (#18543)
- Fix an issue where Synapse could calculate the wrong power
level for the creator of the room if there was no power
levels event. (#18545)
- Improved Documentation
- Generate config documentation from JSON Schema file. (#18528)
- Fix typo in user type documentation. (#18568)
- Internal Changes
- Increase performance of introspecting access tokens when
using delegated auth. (#18357, #18561)
- Log user deactivations. (#18541)
- Enable flake8-logging and flake8-logging-format rules in Ruff
and fix related issues throughout the codebase. (#18542)
- Clean up old, unused rows from the device_federation_inbox
table. (#18546)
- Run config schema CI on develop and release branches.
(#18551)
- Add support for Twisted 25.5.0+ releases. (#18577)
OBS-URL: https://build.opensuse.org/request/show/1289572
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/matrix-synapse?expand=0&rev=134
- Features
- Add support for the MSC4260 user report API. (#18120)
- Bugfixes
- Fix an issue where, during state resolution for v11 rooms,
Synapse would incorrectly calculate the power level of the
creator when there was no power levels event in the room.
(#18534, #18547)
- Fix long-standing bug where sliding sync did not honour the
room_id_to_include config option. (#18535)
- Fix an issue where "Lock timeout is getting excessive"
warnings would be logged even when the lock timeout was <10
minutes. (#18543)
- Fix an issue where Synapse could calculate the wrong power
level for the creator of the room if there was no power
levels event. (#18545)
- Improved Documentation
- Generate config documentation from JSON Schema file. (#18528)
- Fix typo in user type documentation. (#18568)
- Internal Changes
- Increase performance of introspecting access tokens when
using delegated auth. (#18357, #18561)
- Log user deactivations. (#18541)
- Enable flake8-logging and flake8-logging-format rules in Ruff
and fix related issues throughout the codebase. (#18542)
- Clean up old, unused rows from the device_federation_inbox
table. (#18546)
- Run config schema CI on develop and release branches.
(#18551)
- Add support for Twisted 25.5.0+ releases. (#18577)
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=391
Forwarded request #1274931 from darix
- Update to 1.129.0
- Features
- Add passthrough_authorization_parameters in OIDC
configuration to allow passing parameters to the
authorization grant URL. (#18232)
- Add total_event_count, total_message_count, and
total_e2ee_event_count fields to the homeserver usage
statistics. (#18260)
- Bugfixes
- Fix force_tracing_for_users config when using delegated auth.
(#18334)
- Fix the token introspection cache logging access tokens when
MAS integration is in use. (#18335)
- Stop caching introspection failures when delegating auth to
MAS. (#18339)
- Fix ExternalIDReuse exception after migrating to MAS on
workers with a high traffic. (#18342)
- Fix minor performance regression caused by tracking of room
participation. Regressed in v1.128.0. (#18345)
- Updates to the Docker image
- Optimize the build of the complement-synapse image. (#18294)
- Internal Changes
- Revert the slow background update introduced by #18068 in
v1.128.0. (#18372)
- Revert "Add total event, unencrypted message, and e2ee event
counts to stats reporting", added in v1.129.0rc1. (#18373)
- Disable statement timeout during room purge. (#18133)
- Add cache to storage functions used to auth requests when
using delegated auth. (#18337)
OBS-URL: https://build.opensuse.org/request/show/1274932
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/matrix-synapse?expand=0&rev=130
- Features
- Add passthrough_authorization_parameters in OIDC
configuration to allow passing parameters to the
authorization grant URL. (#18232)
- Add total_event_count, total_message_count, and
total_e2ee_event_count fields to the homeserver usage
statistics. (#18260)
- Bugfixes
- Fix force_tracing_for_users config when using delegated auth.
(#18334)
- Fix the token introspection cache logging access tokens when
MAS integration is in use. (#18335)
- Stop caching introspection failures when delegating auth to
MAS. (#18339)
- Fix ExternalIDReuse exception after migrating to MAS on
workers with a high traffic. (#18342)
- Fix minor performance regression caused by tracking of room
participation. Regressed in v1.128.0. (#18345)
- Updates to the Docker image
- Optimize the build of the complement-synapse image. (#18294)
- Internal Changes
- Revert the slow background update introduced by #18068 in
v1.128.0. (#18372)
- Revert "Add total event, unencrypted message, and e2ee event
counts to stats reporting", added in v1.129.0rc1. (#18373)
- Disable statement timeout during room purge. (#18133)
- Add cache to storage functions used to auth requests when
using delegated auth. (#18337)
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=383
Forwarded request #1255974 from darix
- Update to 1.127.0
- Features
- Update MSC4140 implementation to no longer cancel a user's
own delayed state events with an event type & state key that
match a more recent state event sent by that user. (#17810)
- Improved Documentation
- Fixed a minor typo in the Synapse documentation. Contributed
by @karuto12. (#18224)
- Internal Changes
- Remove undocumented SYNAPSE_USE_FROZEN_DICTS environment
variable. (#18123)
- Fix detection of workflow failures in the release script.
(#18211)
- Add caching support to media endpoints. (#18235)
- Updates to locked dependencies
- Bump anyhow from 1.0.96 to 1.0.97. (#18201)
- Bump bcrypt from 4.2.1 to 4.3.0. (#18207)
- Bump bytes from 1.10.0 to 1.10.1. (#18227)
- Bump http from 1.2.0 to 1.3.1. (#18245)
- Bump sentry-sdk from 2.19.2 to 2.22.0. (#18205)
- Bump serde from 1.0.218 to 1.0.219. (#18228)
- Bump serde_json from 1.0.139 to 1.0.140. (#18202)
- Bump ulid from 1.2.0 to 1.2.1. (#18246)
OBS-URL: https://build.opensuse.org/request/show/1255975
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/matrix-synapse?expand=0&rev=125
- Features
- Update MSC4140 implementation to no longer cancel a user's
own delayed state events with an event type & state key that
match a more recent state event sent by that user. (#17810)
- Improved Documentation
- Fixed a minor typo in the Synapse documentation. Contributed
by @karuto12. (#18224)
- Internal Changes
- Remove undocumented SYNAPSE_USE_FROZEN_DICTS environment
variable. (#18123)
- Fix detection of workflow failures in the release script.
(#18211)
- Add caching support to media endpoints. (#18235)
- Updates to locked dependencies
- Bump anyhow from 1.0.96 to 1.0.97. (#18201)
- Bump bcrypt from 4.2.1 to 4.3.0. (#18207)
- Bump bytes from 1.10.0 to 1.10.1. (#18227)
- Bump http from 1.2.0 to 1.3.1. (#18245)
- Bump sentry-sdk from 2.19.2 to 2.22.0. (#18205)
- Bump serde from 1.0.218 to 1.0.219. (#18228)
- Bump serde_json from 1.0.139 to 1.0.140. (#18202)
- Bump ulid from 1.2.0 to 1.2.1. (#18246)
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=373
Forwarded request #1237891 from darix
- Update to 1.122.0
Please note that this version of Synapse drops support for
PostgreSQL 11 and 12. The minimum version of PostgreSQL supported
is now version 13.
- Deprecations and Removals
- Remove support for PostgreSQL 11 and 12. Contributed by @clokep. (#18034)
- Features
- Added the email.tlsname config option. This allows specifying
the domain name used to validate the SMTP server's TLS
certificate separately from the email.smtp_host to connect
to. (#17849)
- Module developers will have access to the user ID of the
requester when adding check_username_for_spam callbacks to
spam_checker_module_callbacks. Contributed by
Wilson@Pangea.chat. (#17916)
- Add endpoints to the Admin API to fetch the number of invites
the provided user has sent after a given timestamp, fetch the
number of rooms the provided user has joined after a given
timestamp, and get report IDs of event reports against a
provided user (i.e. where the user was the sender of the
reported event). (#17948)
- Support stable account suspension from MSC3823. (#17964)
- Add macaroon_secret_key_path config option. (#17983)
- Bugfixes
- Fix bug when rejecting withdrew invite with a
third_party_rules module, where the invite would be stuck for
the client. (#17930)
- Properly purge state groups tables when purging a room with
the Admin API. (#18024)
- Fix a bug preventing the admin redaction endpoint from
OBS-URL: https://build.opensuse.org/request/show/1237892
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/matrix-synapse?expand=0&rev=119
Please note that this version of Synapse drops support for
PostgreSQL 11 and 12. The minimum version of PostgreSQL supported
is now version 13.
- Deprecations and Removals
- Remove support for PostgreSQL 11 and 12. Contributed by @clokep. (#18034)
- Features
- Added the email.tlsname config option. This allows specifying
the domain name used to validate the SMTP server's TLS
certificate separately from the email.smtp_host to connect
to. (#17849)
- Module developers will have access to the user ID of the
requester when adding check_username_for_spam callbacks to
spam_checker_module_callbacks. Contributed by
Wilson@Pangea.chat. (#17916)
- Add endpoints to the Admin API to fetch the number of invites
the provided user has sent after a given timestamp, fetch the
number of rooms the provided user has joined after a given
timestamp, and get report IDs of event reports against a
provided user (i.e. where the user was the sender of the
reported event). (#17948)
- Support stable account suspension from MSC3823. (#17964)
- Add macaroon_secret_key_path config option. (#17983)
- Bugfixes
- Fix bug when rejecting withdrew invite with a
third_party_rules module, where the invite would be stuck for
the client. (#17930)
- Properly purge state groups tables when purging a room with
the Admin API. (#18024)
- Fix a bug preventing the admin redaction endpoint from
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=360
