- Update to 1.47.1
This release fixes a security issue in the media store, affecting
all prior releases of Synapse. Server administrators are
encouraged to update Synapse as soon as possible. We are not
aware of these vulnerabilities being exploited in the wild.
Server administrators who are unable to update Synapse may use
the workarounds described in the linked GitHub Security Advisory
below.
- Security Advisory:
GHSA-3hfw-x7gx-437c / CVE-2021-41281: Path traversal when
downloading remote media.
Synapse instances with the media repository enabled can be
tricked into downloading a file from a remote server into an
arbitrary directory, potentially outside the media store
directory. The last two directories and file name of the path
are chosen randomly by Synapse and cannot be controlled by an
attacker, which limits the impact. Homeservers with the media
repository disabled are unaffected. Homeservers configured with
a federation whitelist are also unaffected. Fixed by
91f2bd090.
OBS-URL: https://build.opensuse.org/request/show/933284
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=198
- Update to 1.37.1
This release resolves issues (such as #9490) where one busy room
could cause head-of-line blocking, starving Synapse from
processing events in other rooms, and causing all federated
traffic to fall behind. Synapse 1.37.1 processes inbound
federation traffic asynchronously, ensuring that one busy room
won't impact others. Please upgrade to Synapse 1.37.1 as soon as
possible, in order to increase resilience to other traffic
spikes.
- Features
- Handle inbound events from federation asynchronously.
(#10269, #10272)
OBS-URL: https://build.opensuse.org/request/show/903369
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=185
- Update to v1.32.1
This release fixes a regression in Synapse 1.32.0 that caused
connected Prometheus instances to become unstable. If you ran
Synapse 1.32.0 with Prometheus metrics, first upgrade to Synapse
1.32.1 and follow these instructions to clean up any excess
writeahead logs.
- Bugfixes
- Fix a regression in Synapse 1.32.0 which caused Synapse to
report large numbers of Prometheus time series, potentially
overwhelming Prometheus instances. (#9854)
OBS-URL: https://build.opensuse.org/request/show/887327
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=171
- Update to 1.30.1
This release is identical to Synapse 1.30.0, with the exception
of explicitly setting a minimum version of Python's Cryptography
library to ensure that users of Synapse are protected from the
recent OpenSSL security advisories, especially CVE-2021-3449.
- Internal Changes
- Enforce that `cryptography` dependency is up to date to
ensure it has the most recent openssl patches. (#9697)
- Note: we do not bump the cryptography dependency in our package
as we use the system OpenSSL which gets the fix.
Add dont-bump-cryptography-with-system-openssl.patch to comment
out the dependency because otherwise the newer version
requirement is enforced on startup
OBS-URL: https://build.opensuse.org/request/show/881504
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=165
- prepare to support more optional features in the buildrequires
(oidc/redis). failing atm due to missing libraries
- Update to 1.21.2
- Security advisory
- HTML pages served via Synapse were vulnerable to cross-site
scripting (XSS) attacks. All server administrators are
encouraged to upgrade. (#8444) (CVE-2020-26891)
- This fix was originally included in v1.21.0 but was missing a
security advisory. This was reported by Denis Kasak.
- Bugfixes
- Fix rare bug where sending an event would fail due to a racey
assertion. (#8530)
- An updated version of the authlib dependency is included in
the Docker and Debian images to fix an issue using OpenID
Connect. See #8534 for details.
OBS-URL: https://build.opensuse.org/request/show/841978
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=147
- Update to 1.15.2
- Security
- A malicious homeserver could force Synapse to reset the state
in a room to a small subset of the correct state. This
affects all Synapse deployments which federate with untrusted
servers. (96e9afe6)
- HTML pages served via Synapse were vulnerable to clickjacking
attacks. This predominantly affects homeservers with
single-sign-on enabled, but all server administrators are
encouraged to upgrade. (ea26e9a9)
OBS-URL: https://build.opensuse.org/request/show/818369
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=130
- Update to 1.13.0
This release brings some potential changes necessary for certain
configurations of Synapse:
- If your Synapse is configured to use SSO and have a custom
sso_redirect_confirm_template_dir configuration option set, you
will need to duplicate the new sso_auth_confirm.html,
sso_auth_success.html and sso_account_deactivated.html
templates into that directory.
- Synapse plugins using the complete_sso_login method of
synapse.module_api.ModuleApi should instead switch to the
async/await version, complete_sso_login_async, which includes
additional checks. The former version is now deprecated.
- A bug was introduced in Synapse 1.4.0 which could cause the
room directory to be incomplete or empty if Synapse was
upgraded directly from v1.2.1 or earlier, to versions between
v1.4.0 and v1.12.x.
Please review UPGRADE.rst for more details on these changes and
for general upgrade guidance.
For the complete list of changes please refer to
https://github.com/matrix-org/synapse/releases/tag/v1.13.0
OBS-URL: https://build.opensuse.org/request/show/807359
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=124
