Accepting request 915279 from home:darix:apps

- Update to 1.41.1 OBS-URL: https://build.opensuse.org/request/show/915279 OBS-URL: https://build.opensuse.org/package/show/network:messaging:matrix/matrix-synapse?expand=0&rev=191
2021-08-31 14:35:09 +00:00
parent 3387a730b2
commit 5bd783aded
7 changed files with 55 additions and 11 deletions
--- a/matrix-synapse.changes
+++ b/matrix-synapse.changes
@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Tue Aug 31 14:21:51 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.41.1
+  Due to the two security issues highlighted below, server
+  administrators are encouraged to update Synapse. We are not aware
+  of these vulnerabilities being exploited in the wild.
+
+  - Security advisory
+    The following issues are fixed in v1.41.1.
+
+    - GHSA-3x4c-pq33-4w3q / CVE-2021-39164: Enumerating a private
+      room's list of members and their display names.
+
+      If an unauthorized user both knows the Room ID of a private
+      room and that room's history visibility is set to shared,
+      then they may be able to enumerate the room's members,
+      including their display names.
+
+      The unauthorized user must be on the same homeserver as a
+      user who is a member of the target room.
+
+      Fixed by 52c7a51cf.
+
+    - GHSA-jj53-8fmw-f2w2 / CVE-2021-39163: Disclosing a private
+      room's name, avatar, topic, and number of members.
+
+      If an unauthorized user knows the Room ID of a private room,
+      then its name, avatar, topic, and number of members may be
+      disclosed through Group / Community features.
+
+      The unauthorized user must be on the same homeserver as a
+      user who is a member of the target room, and their homeserver
+      must allow non-administrators to create groups
+      (enable_group_creation in the Synapse configuration; off by
+      default).
+
+      Fixed by cb35df940a, #10723.
+
+  - Bugfixes
+    - Fix a regression introduced in Synapse 1.41 which broke email
+      transmission on systems using older versions of the Twisted
+      library. (#10713)
+
 -------------------------------------------------------------------
 Tue Aug 24 16:07:40 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>

@@ -1734,9 +1778,9 @@ Wed Jan 13 12:28:54 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
  deprecated and will be removed in a future release. They will be
  replaced by the Delete Room APIe

-	POST /_synapse/admin/v1/rooms/<room_id>/delete replaces
+  POST /_synapse/admin/v1/rooms/<room_id>/delete replaces
  POST /_synapse/admin/v1/purge_room and
-	POST /_synapse/admin/v1/shutdown_room/<room_id>.
+  POST /_synapse/admin/v1/shutdown_room/<room_id>.

  - Features
    - Add an admin API that lets server admins get power in rooms