Accepting request 1190513 from network:messaging:matrix

- Update to 1.112.0 (boo#1228596)
  The actual security fix will be in the python3x-Twisted package:

OBS-URL: https://build.opensuse.org/request/show/1190513
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/matrix-synapse?expand=0&rev=105

_service

@@ -4,11 +4,11 @@
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="url">https://github.com/element-hq/synapse.git</param>
     <param name="scm">git</param>
-    <param name="revision">v1.111.0</param>
+    <param name="revision">v1.112.0</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="versionrewrite-replacement">\1</param>
     <!--
-    <param name="revision">v1.112.0rc1</param>
+    <param name="revision">v1.113.0rc1</param>
     <param name="versionrewrite-pattern">v([\.\d]+)(rc.*)</param>
     <param name="versionrewrite-replacement">\1~\2</param>
     -->

matrix-synapse-1.111.0.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f9752a3658adfb2eeec225a3f5f4a61b055c345bc28416cb86a1299a461838fe
-size 37170701

matrix-synapse-1.112.0.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1d0ac72c80abe374740683f0af068b45baa067a102ae9deaf0f324d20b375f31
+size 37371405

matrix-synapse-test.spec

@@ -27,7 +27,7 @@
 
 %define         pkgname matrix-synapse
 Name:           %{pkgname}-test
-Version:        1.111.0
+Version:        1.112.0
 Release:        0
 Summary:        Test package for %{pkgname}
 License:        AGPL-3.0-or-later

matrix-synapse.changes

@@ -1,3 +1,118 @@
+-------------------------------------------------------------------
+Tue Jul 30 17:07:03 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.112.0 (boo#1228596)
+
+  The actual security fix will be in the python3x-Twisted package:
+
+  This security release is to update our locked dependency on
+  Twisted to 24.7.0rc1, which includes a security fix for
+  CVE-2024-41671 / GHSA-c8m8-j448-xjx7: Disordered HTTP pipeline
+  response in twisted.web, again.
+
+  Note that this security fix is also available as Synapse 1.111.1,
+  which does not include the rest of the changes in Synapse
+  1.112.0.
+
+  This issue means that, if multiple HTTP requests are pipelined in
+  the same TCP connection, Synapse can send responses to the wrong
+  HTTP request. If a reverse proxy was configured to use HTTP
+  pipelining, this could result in responses being sent to the
+  wrong user, severely harming confidentiality.
+
+  With that said, despite being a high severity issue, we consider
+  it unlikely that Synapse installations will be affected. The use
+  of HTTP pipelining in this fashion would cause worse performance
+  for clients (request-response latencies would be increased as
+  users' responses would be artificially blocked behind other
+  users' slow requests). Further, Nginx and Haproxy, two common
+  reverse proxies, do not appear to support configuring their
+  upstreams to use HTTP pipelining and thus would not be affected.
+  For both of these reasons, we consider it unlikely that a Synapse
+  deployment would be set up in such a configuration.
+
+  Despite that, we cannot rule out that some installations may
+  exist with this unusual setup and so we are releasing this
+  security update today.
+
+  pip users: Note that by default, upgrading Synapse using pip will
+  not automatically upgrade Twisted. Please manually install the
+  new version of Twisted using pip install Twisted==24.7.0rc1. Note
+  also that even the --upgrade-strategy=eager flag to pip install
+  -U matrix-synapse will not upgrade Twisted to a patched version
+  because it is only a release candidate at this time.
+
+  - Features
+    - Add to-device extension support to experimental MSC3575
+      Sliding Sync /sync endpoint. (#17416)
+    - Populate name/avatar fields in experimental MSC3575 Sliding
+      Sync /sync endpoint. (#17418)
+    - Populate heroes and room summary fields (joined_count,
+      invited_count) in experimental MSC3575 Sliding Sync /sync
+      endpoint. (#17419)
+    - Populate is_dm room field in experimental MSC3575 Sliding
+      Sync /sync endpoint. (#17429)
+    - Add room subscriptions to experimental MSC3575 Sliding Sync
+      /sync endpoint. (#17432)
+    - Prepare for authenticated media freeze. (#17433)
+    - Add E2EE extension support to experimental MSC3575 Sliding
+      Sync /sync endpoint. (#17454)
+  - Bugfixes
+    - Add configurable option to always include offline users in
+      presence sync results. Contributed by @Michael-Hollister.
+      (#17231)
+    - Fix bug in experimental MSC3575 Sliding Sync /sync endpoint
+      when using room type filters and the user has one or more
+      remote invites. (#17434)
+    - Order heroes by stream_ordering as the Matrix specification
+      states (applies to /sync). (#17435)
+    - Fix rare bug where /sync would break for a user when using
+      workers with multiple stream writers. (#17438)
+  - Improved Documentation
+    - Update the readme image to have a white background, so that
+      it is readable in dark mode. (#17387)
+    - Add Red Hat Enterprise Linux and Rocky Linux 8 and 9
+      installation instructions. (#17423)
+    - Improve documentation for the
+      default_power_level_content_override config option. (#17451)
+  - Internal Changes
+    - Make sure we always use the right logic for enabling the
+      media repo. (#17424)
+    - Fix argument documentation for method
+      RateLimiter.record_action. (#17426)
+    - Reduce volume of 'Waiting for current token' logs, which were
+      introduced in v1.109.0. (#17428)
+    - Limit concurrent remote downloads to 6 per IP address, and
+      decrement remote downloads without a content-length from the
+      ratelimiter after the download is complete. (#17439)
+    - Remove unnecessary call to resume producing in fake channel.
+      (#17449)
+    - Update experimental MSC3575 Sliding Sync /sync endpoint to
+      bump room when it is created. (#17453)
+    - Speed up generating sliding sync responses. (#17458)
+    - Add cache to get_rooms_for_local_user_where_membership_is to
+      speed up sliding sync. (#17460)
+    - Speed up fetching room keys from backup. (#17461)
+    - Speed up sorting of the room list in sliding sync. (#17468)
+    - Implement handling of $ME as a state key in sliding sync.
+      (#17469)
+  - Updates to locked dependencies
+    - Bump bytes from 1.6.0 to 1.6.1. (#17441)
+    - Bump hiredis from 2.3.2 to 3.0.0. (#17464)
+    - Bump jsonschema from 4.22.0 to 4.23.0. (#17444)
+    - Bump matrix-org/done-action from 2 to 3. (#17440)
+    - Bump mypy from 1.9.0 to 1.10.1. (#17445)
+    - Bump pyopenssl from 24.1.0 to 24.2.1. (#17465)
+    - Bump ruff from 0.5.0 to 0.5.4. (#17466)
+    - Bump sentry-sdk from 2.6.0 to 2.8.0. (#17456)
+    - Bump sentry-sdk from 2.8.0 to 2.10.0. (#17467)
+    - Bump setuptools from 67.6.0 to 70.0.0. (#17448)
+    - Bump twine from 5.1.0 to 5.1.1. (#17443)
+    - Bump types-jsonschema from 4.22.0.20240610 to
+      4.23.0.20240712. (#17446)
+    - Bump ulid from 1.1.2 to 1.1.3. (#17442)
+    - Bump zipp from 3.15.0 to 3.19.1. (#17427)
+
 -------------------------------------------------------------------
 Tue Jul 16 12:42:41 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
 

matrix-synapse.obsinfo

@@ -1,4 +1,4 @@
 name: matrix-synapse
-version: 1.111.0
-mtime: 1721127326
-commit: 574aa53126c238148189f80b37b2ad14052cc429
+version: 1.112.0
+mtime: 1722356649
+commit: 37f9876ccfdd9963cda4ff802882b9eec037877a

matrix-synapse.spec

@@ -21,8 +21,7 @@
 # NOTE: Keep this is in the same order as pyproject.toml.
 %if %{with use_poetry_for_dependencies}
 %global Jinja2_version                3.1.4
-# TODO: 10.4.0
-%global Pillow_version                10.3.0
+%global Pillow_version                10.4.0
 %global PyYAML_version                6.0.1
 %global attrs_version                 23.2.0
 %global bcrypt_version                4.1.3
@@ -42,6 +41,7 @@
 %global phonenumbers_version          8.13.39
 %global prometheus_client_version     0.20.0
 %global psutil_version                2.0.0
+# todo: 24.2.1
 %global pyOpenSSL_version             24.1.0
 %global pyasn1_version                0.6.0
 %global pyasn1_modules_version        0.3.0
@@ -60,10 +60,11 @@
 %global pysaml2_version               7.3.1
 %global Authlib_version               1.3.1
 %global lxml_version                  5.2.2
-%global sentry_sdk_version            2.6.0
+%global sentry_sdk_version            2.10.0
 %global PyJWT_version                 2.6.0
 %global jaeger_client_version         4.8.0
 %global opentracing_version           2.4.0
+# todo: 3.0.0
 %global hiredis_version               2.3.2
 %global txredisapi_version            1.4.10
 %global Pympler_version               1.0.1
@@ -153,7 +154,7 @@
 %define         pkgname matrix-synapse
 %define         eggname matrix_synapse
 Name:           %{pkgname}
-Version:        1.111.0
+Version:        1.112.0
 Release:        0
 Summary:        Matrix protocol reference homeserver
 License:        AGPL-3.0-or-later

vendor.tar.zst

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:f8392e8dd6b4e0ba2b1bf15f5369f1164287d08579444b8b0ec2227eda487546
-size 7112154
+oid sha256:df0325c14caa2cfbf67954376cbe5b4611ffff740ba1dd39c97ff4e1364ad4bc
+size 7263419