rpm/matrix-synapse
SHA256
1
0
Fork 0
forked from pool/matrix-synapse
Code Pull Requests Activity

Accepting request 1113708 from network:messaging:matrix

Browse Source 
- Update to 1.93.0
  The following issues are fixed in 1.93.0 (and RCs).
  GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity
  https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5
  Temporary storage of plaintext passwords during password changes.
  GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity
  https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x
  Improper validation of receipts allows forged read receipts.
  See the advisories for more details. If you have any questions, email security@matrix.org.

OBS-URL: https://build.opensuse.org/request/show/1113708
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/matrix-synapse?expand=0&rev=85
This commit is contained in:
Dominique Leuenberger 2023-09-27 22:25:02 +00:00 committed by Git OBS Bridge
commit 5dd7bb3425
8 changed files with 167 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
_service
View File

@ -4,11 +4,11 @@
<param name="versionformat">@PARENT_TAG@</param>
<param name="url">https://github.com/matrix-org/synapse.git</param>
<param name="scm">git</param>
<param name="revision">v1.91.2</param>
<param name="revision">v1.93.0</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="versionrewrite-replacement">\1</param>
<!--
<param name="revision">v1.92.0rc1</param>
<param name="revision">v1.94.0rc1</param>
<param name="versionrewrite-pattern">v([\.\d]+)(rc.*)</param>
<param name="versionrewrite-replacement">\1~\2</param>
-->

3
matrix-synapse-1.91.2.obscpio
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8df6270da824c716c7855c1dbe4426801844378f369274ad9233dd5bc19e0cc2
size 35482637

3
matrix-synapse-1.93.0.obscpio Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f157afec4f14f73cb310e600cd21e5baa615e8a6ea2597a84fb33a542cb21bee
size 35584013

2
matrix-synapse-test.spec
View File

@ -27,7 +27,7 @@
%define pkgname matrix-synapse
Name: %{pkgname}-test
Version: 1.91.2
Version: 1.93.0
Release: 0
Summary: Test package for %{pkgname}
License: Apache-2.0

143
matrix-synapse.changes
View File

@ -1,3 +1,146 @@
-------------------------------------------------------------------
Tue Sep 26 17:35:26 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.93.0
The following issues are fixed in 1.93.0 (and RCs).
GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity
https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5
Temporary storage of plaintext passwords during password changes.
GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity
https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x
Improper validation of receipts allows forged read receipts.
See the advisories for more details. If you have any questions, email security@matrix.org.
- Features
- Add automatic purge after all users have forgotten a room.
(#15488)
- Restore room purge/shutdown after a Synapse restart. (#15488)
- Support resolving homeservers using matrix-fed DNS SRV
records from MSC4040. (#16137)
- Add the ability to use G (GiB) and T (TiB) suffixes in
configuration options that refer to numbers of bytes.
(#16219)
- Add span information to requests sent to appservices.
Contributed by MTRNord. (#16227)
- Add the ability to enable/disable registrations when using
CAS. Contributed by Aurélien Grimpard. (#16262)
- Allow the /notifications endpoint to be routed to workers.
(#16265)
- Enable users to easily unsubscribe to notifications emails
via the List-Unsubscribe header. (#16274)
- Report whether a user is locked in the List Accounts admin
API, and exclude locked users by default. (#16328)
- Bugfixes
- Fix a long-standing bug where multi-device accounts could
cause high load due to presence. (#16066, #16170, #16171,
#16172, #16174)
- Fix a long-standing bug where appservices using MSC2409 to
receive to_device messages would only get messages for one
user. (#16251)
- Fix bug when using workers where Synapse could end up
re-requesting the same remote device repeatedly. (#16252)
- Fix long-standing bug where we kept re-requesting a remote
server's key repeatedly, potentially causing delays in
receiving events over federation. (#16257)
- Avoid temporary storage of sensitive information. (#16272)
- Fix bug introduced in Synapse 1.49.0 when using dehydrated
devices (MSC2697) and refresh tokens. Contributed by Hanadi.
(#16288)
- Fix a long-standing bug where invalid receipts would be
accepted. (#16327)
- Use standard name for UTF-8 charset in emails. (#16329)
- Don't try refetching device lists for users on remote hosts
that are marked as "down". (#16298)
- Improved Documentation
- Fix typos in the documentation. (#16282)
- Link to the Alpine Linux community package for Synapse.
(#16304)
- Use string for federation_client_minimum_tls_version
documentation examples. Contributed by @jcgruenhage. (#16353)
- Internal Changes
- Allow modules to delete rooms. (#15997)
- Add GCC and GNU Make to the Nix flake development environment
so that ruff can be compiled. (#16090, #16263)
- Fix type checking when using the new version of Twisted.
(#16235)
- Delete device messages asynchronously and in staged batches
using the task scheduler. (#16240, #16311, #16312, #16313)
- Bump minimum supported Rust version to 1.61.0. (#16248)
- Update rust to version 1.71.1 in the nix development
environment. (#16260)
- Simplify server key storage. (#16261)
- Reduce CPU overhead of change password endpoint. (#16264)
- Stop purging from tables slated for removal. (#16273)
- Improve type hints. (#16276, #16301, #16325, #16326)
- Raise setuptools_rust version cap to 1.7.0. (#16277)
- Fix using the new task scheduler causing lots of CPU to be
used. (#16278)
- Upgrade CI run of Python 3.12 from rc1 to rc2. (#16280)
- Include values in SQL debug when using execute_values with
Postgres. (#16281)
- Enable additional linting checks. (#16283)
- Refactor receipts_graph Postgres transactions to stop error
messages. (#16299)
- Small improvements to logging in replication code. (#16309)
- Remove a reference cycle in background processes. (#16314)
- Only use literal strings for background process names.
(#16315)
- Refactor get_user_by_id. (#16316)
- Speed up task to delete to-device messages. (#16318)
- Avoid patching code in tests. (#16349)
- Test against PostgreSQL 16. (#16351)
-------------------------------------------------------------------
Mon Sep 25 23:09:42 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.92.3
This release does not affect openSUSE as we do not use the intree
libwebp
Upstream changes:
This is again a security update targeted at mitigating
CVE-2023-4863. It turns out that libwebp is bundled statically in
Pillow wheels so we need to update this dependency instead of
libwebp package at the OS level.
Unlike what was advertised in 1.92.2 changelog this release also
impacts PyPI wheels and Debian packages from matrix.org.
We encourage admins to upgrade as soon as possible.
Internal Changes
- Pillow 10.0.1 is now mandatory because of libwebp
CVE-2023-4863, since Pillow provides libwebp in the wheels.
(#16347)
- bump all the dependencies which are not available in tumbleweed.
-------------------------------------------------------------------
Fri Sep 15 13:57:20 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.92.2
Only fix in this is actually changing the upstream docker
configuration to mitigate the webp security bug. Does not affect
our package.
-------------------------------------------------------------------
Tue Sep 12 20:21:04 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.92.1
- Bugfixes
- Revert MSC3861 introspection cache, admin impersonation and
account lock. (#16258)
- Internal Changes
- Fix incorrect docstring for Ratelimiter. (#16255)
- Update the release script to work on macOS. (#16266)
- Stop building Ubuntu Kinetic since it is EOL and repos seem
to be dead.
-------------------------------------------------------------------
Wed Sep 6 20:43:15 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>

6
matrix-synapse.obsinfo
View File

@ -1,4 +1,4 @@
name: matrix-synapse
version: 1.91.2
mtime: 1694013057
commit: 9de615b3aa4f20cab182cf3822943b9465a30643
version: 1.93.0
mtime: 1695740214
commit: 88ba67eb91215a708f321e16559fe3c2c0d0a407

32
matrix-synapse.spec
View File

@ -21,17 +21,14 @@
# NOTE: Keep this is in the same order as pyproject.toml.
%if %{with use_poetry_for_dependencies}
%global Jinja2_version 3.1.2
# TODO: 10.0.0
%global Pillow_version 9.5.0
# TODO: 6.0.1
%global PyYAML_version 6.0
%global Pillow_version 10.0.1
%global PyYAML_version 6.0.1
%global Twisted_version 22.10.0
%global attrs_version 23.1.0
%global bcrypt_version 4.0.1
%global bleach_version 5.0.1
%global canonicaljson_version 2.0.0
# TODO: 41.0.3
%global cryptography_version 41.0.2
%global cryptography_version 41.0.3
%global immutabledict_version 3.0.0
%global idna_version 3.4
%global ijson_version 3.2.3
@ -41,15 +38,14 @@
%global matrix_common_max_version 2
%global msgpack_version 1.0.5
%global netaddr_version 0.8.0
# TODO: 8.13.14
# TODO: 8.13.19
%global phonenumbers_version 8.13.18
# TODO: 0.17.1
%global prometheus_client_version 0.17.0
%global psutil_version 2.0.0
%global pyOpenSSL_version 23.0.0
%global pyasn1_version 0.5.0
# TODO 0.3.0
%global pyasn1_modules_version 0.2.8
%global pyasn1_modules_version 0.3.0
%global pymacaroons_version 0.13.0
%global service_identity_version 23.1.0
%global signedjson_version 1.1.4
@ -61,13 +57,12 @@
%global unpaddedbase64_version 2.1.0
%global matrix_synapse_ldap3_version 0.2.2
%global packaging_version 23.1
%global psycopg2_version 2.9.6
%global psycopg2_version 2.9.7
# TODO 7.3.1
%global pysaml2_version 7.2.1
%global Authlib_version 1.2.1
# TODO 4.9.3
%global lxml_version 4.9.2
%global sentry_sdk_version 1.29.2
%global lxml_version 4.9.3
%global sentry_sdk_version 1.30.0
%global PyJWT_version 2.4.0
%global jaeger_client_version 4.8.0
%global opentracing_version 2.4.0
@ -76,12 +71,11 @@
%global txredisapi_version 1.4.9
%global Pympler_version 1.0.1
%global pydantic_version 1.9.1
# TODO: 2.10.2
%global pyicu_version 2.10.2
%global pyicu_version 2.11
%else
# some version locks based on poetry.lock
%global Jinja2_version 3.0
%global Pillow_version 5.4.0
%global Pillow_version 10.0.1
%global PyYAML_version 3.13
%global Twisted_version 18.9.0
%global attrs_version 21.1.1
@ -160,7 +154,7 @@
%define pkgname matrix-synapse
%define eggname matrix_synapse
Name: %{pkgname}
Version: 1.91.2
Version: 1.93.0
Release: 0
Summary: Matrix protocol reference homeserver
License: Apache-2.0
@ -194,11 +188,11 @@ BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-shadow
BuildRequires: sysuser-tools
BuildRequires: unzip
BuildRequires: (%{use_python}-poetry-core >= 1.0.0 with %{use_python}-poetry-core =< 1.7.0)
BuildRequires: (%{use_python}-poetry-core >= 1.1.0 with %{use_python}-poetry-core =< 1.7.0)
%{?systemd_ordering}
%{sysusers_requires}
%requires_peq %{use_python}-base
BuildRequires: (%{use_python}-setuptools-rust >= 1.3 with %{use_python}-setuptools-rust =< 1.6.0)
BuildRequires: (%{use_python}-setuptools-rust >= 1.3 with %{use_python}-setuptools-rust =< 1.7.0)
# NOTE: Keep this is in the same order as pyproject.toml.
# some version locks based on poetry.lock
BuildRequires: %{use_python}-Jinja2 >= %{Jinja2_version}

4
vendor.tar.zst
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ff32dd13fbe8c28fc0a31caeabf132296d4f72f17f84da2f2fcb8b89f0738ba8
size 5740177
oid sha256:2da7c77d5281c44f4627669634dedb57e1a57fb35314306aff79d8f6b7d7466b
size 5765828