1.92.3

author: Mathieu Velten <mathieuv@matrix.org> 2023-09-18 15:29:46 +0200
committer: Mathieu Velten <mathieuv@matrix.org> 2023-09-18 15:29:46 +0200
commit: d8aed6fba7c4b919c5e76352a84686f85b642efc (patch)
tree: ded376f4ac5959c9886e9b0bdc1c4a37bb042454
parent: Mandate Pillow>=10.0.1 because of libwebp CVE (#16347) (diff)
download: synapse-d8aed6fba7c4b919c5e76352a84686f85b642efc.tar.xz
4 files changed, 24 insertions, 2 deletions
diff --git a/CHANGES.md b/CHANGES.md
index f913c2069b..09c1ec10d0 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,20 @@
+# Synapse 1.92.3 (2023-09-18)
+
+This is again an update targeted at mitigating [CVE-2023-4863](https://cve.org/CVERecord?id=CVE-2023-4863).
+It turns out that libwebp is bundled statically in Pillow wheels so we need to update this dependency instead of
+libwebp package at the OS level.
+
+Unlike what was advertised in 1.92.2 changelog this release also impacts PyPI wheels and Debian packages.
+
+
+### Internal Changes
+
+- Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels. ([\#16347](https://github.com/matrix-org/synapse/issues/16347))
+
+### Updates to locked dependencies
+
+* Bump pillow from 10.0.0 to 10.0.1. ([\#16344](https://github.com/matrix-org/synapse/issues/16344))
+
 # Synapse 1.92.2 (2023-09-15)
 
 This is a Docker-only update to mitigate [CVE-2023-4863](https://cve.org/CVERecord?id=CVE-2023-4863), a critical vulnerability in `libwebp`. Server admins not using Docker should ensure that their `libwebp` is up to date (if installed). We encourage admins to upgrade as soon as possible.
diff --git a/changelog.d/16347.misc b/changelog.d/16347.misc
deleted file mode 100644
index f4f5bfb2de..0000000000
--- a/changelog.d/16347.misc
+++ /dev/null
@@ -1 +0,0 @@
-Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels.
diff --git a/debian/changelog b/debian/changelog
index 79e7fccfca..254ca26fd8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+matrix-synapse-py3 (1.92.3) stable; urgency=medium
+
+  * New Synapse release 1.92.3.
+
+ -- Synapse Packaging team <packages@matrix.org>  Mon, 18 Sep 2023 15:05:04 +0200
+
 matrix-synapse-py3 (1.92.2) stable; urgency=medium
 
   * New Synapse release 1.92.2.
diff --git a/pyproject.toml b/pyproject.toml
index d66089a67d..572e886725 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -89,7 +89,7 @@ manifest-path = "rust/Cargo.toml"
 
 [tool.poetry]
 name = "matrix-synapse"
-version = "1.92.2"
+version = "1.92.3"
 description = "Homeserver for the Matrix decentralised comms protocol"
 authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
 license = "Apache-2.0"
author	Mathieu Velten <mathieuv@matrix.org>	2023-09-18 15:29:46 +0200
committer	Mathieu Velten <mathieuv@matrix.org>	2023-09-18 15:29:46 +0200
commit	d8aed6fba7c4b919c5e76352a84686f85b642efc (patch)
tree	ded376f4ac5959c9886e9b0bdc1c4a37bb042454
parent	Mandate Pillow>=10.0.1 because of libwebp CVE (#16347) (diff)
download	synapse-d8aed6fba7c4b919c5e76352a84686f85b642efc.tar.xz