- Update to 1.92.3
This release does not affect openSUSE as we do not use the intree
libwebp
Upstream changes:
This is again a security update targeted at mitigating
CVE-2023-4863. It turns out that libwebp is bundled statically in
Pillow wheels so we need to update this dependency instead of
libwebp package at the OS level.
Unlike what was advertised in 1.92.2 changelog this release also
impacts PyPI wheels and Debian packages from matrix.org.
We encourage admins to upgrade as soon as possible.
Internal Changes
- Pillow 10.0.1 is now mandatory because of libwebp
CVE-2023-4863, since Pillow provides libwebp in the wheels.
(#16347)
- bump all the dependencies which are not available in tumbleweed.
- Update to 1.92.2
Only fix in this is actually changing the upstream docker
configuration to mitigate the webp security bug. Does not affect
our package.
- Update to 1.92.1
- Bugfixes
- Revert MSC3861 introspection cache, admin impersonation and
account lock. (#16258)
- Internal Changes
- Fix incorrect docstring for Ratelimiter. (#16255)
- Update the release script to work on macOS. (#16266)
- Stop building Ubuntu Kinetic since it is EOL and repos seem
OBS-URL: https://build.opensuse.org/request/show/1113560
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=287
- Update to 1.85.0
- Security
- GHSA-26c5-ppr8-f33p / CVE-2023-32682 — Low Severity It may be
possible for a deactivated user to login when using uncommon
configurations. (boo#1212055)
- GHSA-98px-6486-j7qc / CVE-2023-32683 — Low Severity A
discovered oEmbed or image URL can bypass the
url_preview_url_blacklist setting potentially allowing server
side request forgery or bypassing network policies. Impact is
limited to IP addresses allowed by the
url_preview_ip_range_blacklist setting (by default this only
allows public IPs). (boo#1212054)
OBS-URL: https://build.opensuse.org/request/show/1091083
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=273
- Update to 1.61.1
This patch release fixes a security issue regarding URL previews,
affecting all prior versions of Synapse. Server administrators
are encouraged to update Synapse as soon as possible. We are not
aware of these vulnerabilities being exploited in the wild.
Server administrators who are unable to update Synapse may use
the workarounds described in the linked GitHub Security Advisory
below.
The following issue is fixed in 1.61.1.
GHSA-22p3-qrh9-cx32 / CVE-2022-31052
Synapse instances with the url_preview_enabled homeserver config
option set to true are affected. URL previews of some web pages
can lead to unbounded recursion, causing the request to either
fail, or in some cases crash the running Synapse process.
Requesting URL previews requires authentication. Nevertheless, it
is possible to exploit this maliciously, either by malicious
users on the homeserver, or by remote users sending URLs that a
local user's client may automatically request a URL preview for.
Homeservers with the url_preview_enabled configuration option set
to false (the default) are unaffected. Instances with the
enable_media_repo configuration option set to false are also
unaffected, as this also disables URL preview functionality.
Fixed by fa1308061802ac7b7d20e954ba7372c5ac292333.
- force python 3.10 on TW
OBS-URL: https://build.opensuse.org/request/show/985625
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=228
- With the previous change we would not need use_python anymore
because we also can find now the packages that provide python3-X
But i keep the conditional around for e.g. testing with python
3.10.
- Replace requires_eq with requires_peq: (boo#1195316)
The only difference between the 2 macros is that the new macro
also considers provides so we can track package names over
renames.
- Update to 1.51.0
Synapse 1.51.0 deprecates webclient listeners and non-HTTP(S)
web_client_locations. Support for these will be removed in
Synapse 1.53.0, at which point Synapse will not be capable of
directly serving a web client for Matrix. See the upgrade notes.
- Features
- Add track_puppeted_user_ips config flag to record client IP
addresses against puppeted users, and include the puppeted
users in monthly active user counts. (#11561, #11749, #11757)
- Include whether the requesting user has participated in a
thread when generating a summary for MSC3440. (#11577)
- Return an M_FORBIDDEN error code instead of M_UNKNOWN when a
spam checker module prevents a user from creating a room.
(#11672)
- Add a flag to the synapse_review_recent_signups script to
ignore and filter appservice users. (#11675, #11770)
- Bugfixes
- Fix a bug introduced in Synapse 1.40.0 that caused Synapse to
fail to process incoming federation traffic after handling a
large amount of events in a v1 room. (#11806)
OBS-URL: https://build.opensuse.org/request/show/950937
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=206
- Update to 1.47.1
This release fixes a security issue in the media store, affecting
all prior releases of Synapse. Server administrators are
encouraged to update Synapse as soon as possible. We are not
aware of these vulnerabilities being exploited in the wild.
Server administrators who are unable to update Synapse may use
the workarounds described in the linked GitHub Security Advisory
below.
- Security Advisory:
GHSA-3hfw-x7gx-437c / CVE-2021-41281: Path traversal when
downloading remote media.
Synapse instances with the media repository enabled can be
tricked into downloading a file from a remote server into an
arbitrary directory, potentially outside the media store
directory. The last two directories and file name of the path
are chosen randomly by Synapse and cannot be controlled by an
attacker, which limits the impact. Homeservers with the media
repository disabled are unaffected. Homeservers configured with
a federation whitelist are also unaffected. Fixed by
91f2bd090.
OBS-URL: https://build.opensuse.org/request/show/933284
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=198
