- Update to 1.85.2
- Bugfixes
- Fix regression where using TLS for HTTP replication between
workers did not work. Introduced in v1.85.0. (#15746)
- Update to 1.85.1
Note: this release only fixes a bug that stopped some deployments
from upgrading to v1.85.0. There is no need to upgrade to v1.85.1
if successfully running v1.85.0.
- Bugfixes
- Fix bug in schema delta that broke upgrades for some
deployments. Introduced in v1.85.0. (#15738, #15739)
- make use that the pythons define and use_python do not diverge by
moving them closer to each other.
- Update to 1.85.0
- Security
- GHSA-26c5-ppr8-f33p / CVE-2023-32682 — Low Severity It may be
possible for a deactivated user to login when using uncommon
configurations. (boo#1212055)
- GHSA-98px-6486-j7qc / CVE-2023-32683 — Low Severity A
discovered oEmbed or image URL can bypass the
url_preview_url_blacklist setting potentially allowing server
side request forgery or bypassing network policies. Impact is
limited to IP addresses allowed by the
url_preview_ip_range_blacklist setting (by default this only
allows public IPs). (boo#1212054)
- Features
- Improve performance of backfill requests by performing
OBS-URL: https://build.opensuse.org/request/show/1097110
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/matrix-synapse?expand=0&rev=81
- Update to 1.85.0
- Security
- GHSA-26c5-ppr8-f33p / CVE-2023-32682 — Low Severity It may be
possible for a deactivated user to login when using uncommon
configurations. (boo#1212055)
- GHSA-98px-6486-j7qc / CVE-2023-32683 — Low Severity A
discovered oEmbed or image URL can bypass the
url_preview_url_blacklist setting potentially allowing server
side request forgery or bypassing network policies. Impact is
limited to IP addresses allowed by the
url_preview_ip_range_blacklist setting (by default this only
allows public IPs). (boo#1212054)
OBS-URL: https://build.opensuse.org/request/show/1091083
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=273
- As 14221.patch is modified to skip the parts we dont need
(changelog snippets) remove the url from the spec file.
- All the shebang line fixing should skip the vendor directory so
that we do not break the checksum checks in cargo.
- Added https://patch-diff.githubusercontent.com/raw/matrix-org/synapse/pull/14221.patch
Same fix for the cache_memory as for url_preview
- python-six is not required
https://trello.com/c/MO53MocR/143-remove-python3-six
- Update to 1.69.0
Please note that legacy Prometheus metric names are now
deprecated and will be removed in Synapse 1.73.0. Server
administrators should update their dashboards and alerting rules
to avoid using the deprecated metric names. See the upgrade notes
for more details.
- Features
- Allow application services to set the origin_server_ts of a
state event by providing the query parameter ts in PUT
/_matrix/client/r0/rooms/{roomId}/state/{eventType}/{stateKey},
per MSC3316. Contributed by @lukasdenk. (#11866)
- Allow server admins to require a manual approval process
before new accounts can be used (using MSC3866). (#13556)
- Exponentially backoff from backfilling the same event over
and over. (#13635, #13936)
- Add cache invalidation across workers to module API. (#13667,
#13947)
- Experimental implementation of MSC3882 to allow an existing
OBS-URL: https://build.opensuse.org/request/show/1030137
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/matrix-synapse?expand=0&rev=72
- Update to 1.61.1
This patch release fixes a security issue regarding URL previews,
affecting all prior versions of Synapse. Server administrators
are encouraged to update Synapse as soon as possible. We are not
aware of these vulnerabilities being exploited in the wild.
Server administrators who are unable to update Synapse may use
the workarounds described in the linked GitHub Security Advisory
below.
The following issue is fixed in 1.61.1.
GHSA-22p3-qrh9-cx32 / CVE-2022-31052
Synapse instances with the url_preview_enabled homeserver config
option set to true are affected. URL previews of some web pages
can lead to unbounded recursion, causing the request to either
fail, or in some cases crash the running Synapse process.
Requesting URL previews requires authentication. Nevertheless, it
is possible to exploit this maliciously, either by malicious
users on the homeserver, or by remote users sending URLs that a
local user's client may automatically request a URL preview for.
Homeservers with the url_preview_enabled configuration option set
to false (the default) are unaffected. Instances with the
enable_media_repo configuration option set to false are also
unaffected, as this also disables URL preview functionality.
Fixed by fa1308061802ac7b7d20e954ba7372c5ac292333.
- force python 3.10 on TW
OBS-URL: https://build.opensuse.org/request/show/985625
OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=228
