5 files changed, 59 insertions, 3 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 52b2fd6f8f..55f53eb69f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,55 @@
+Synapse 1.23.1 (2020-12-09)
+===========================
+
+Due to the two security issues highlighted below, server administrators are
+encouraged to update Synapse. We are not aware of these vulnerabilities being
+exploited in the wild.
+
+Security advisory
+-----------------
+
+The following issues are fixed in v1.23.1 and v1.24.0.
+
+- There is a denial of service attack
+ ([CVE-2020-26257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26257))
+ against the federation APIs in which future events will not be correctly sent
+ to other servers over federation. This affects all servers that participate in
+ open federation. (Fixed in [#8776](https://github.com/matrix-org/synapse/pull/8776)).
+
+- Synapse may be affected by OpenSSL
+ [CVE-2020-1971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971).
+ Synapse administrators should ensure that they have the latest versions of
+ the cryptography Python package installed.
+
+To upgrade Synapse along with the cryptography package:
+
+* Administrators using the [`matrix.org` Docker
+ image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu
+ packages from
+ `matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages)
+ should ensure that they have version 1.24.0 or 1.23.1 installed: these images include
+ the updated packages.
+* Administrators who have [installed Synapse from
+ source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source)
+ should upgrade the cryptography package within their virtualenv by running:
+ ```sh
+ <path_to_virtualenv>/bin/pip install 'cryptography>=3.3'
+ ```
+* Administrators who have installed Synapse from distribution packages should
+ consult the information from their distributions.
+
+Bugfixes
+--------
+
+- Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body. ([\#8776](https://github.com/matrix-org/synapse/issues/8776))
+
+
+Internal Changes
+----------------
+
+- Add a maximum version for pysaml2 on Python 3.5. ([\#8898](https://github.com/matrix-org/synapse/issues/8898))
+
+
Synapse 1.23.0 (2020-11-18)
===========================
diff --git a/changelog.d/8776.bugfix b/changelog.d/8776.bugfix
deleted file mode 100644
index dd7ebbeb86..0000000000
--- a/changelog.d/8776.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body.
diff --git a/changelog.d/8898.misc b/changelog.d/8898.misc
deleted file mode 100644
index bdb0d40d51..0000000000
--- a/changelog.d/8898.misc
+++ /dev/null
@@ -1 +0,0 @@
-Add a maximum version for pysaml2 on Python 3.5.
diff --git a/debian/changelog b/debian/changelog
index 4ea4feddd5..0342fafddf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+matrix-synapse-py3 (1.23.1) stable; urgency=medium
+
+ * New synapse release 1.23.1.
+
+ -- Synapse Packaging team <packages@matrix.org> Wed, 09 Dec 2020 10:40:39 +0000
+
matrix-synapse-py3 (1.23.0) stable; urgency=medium
* New synapse release 1.23.0.
diff --git a/synapse/__init__.py b/synapse/__init__.py
index 65c1f5aa3f..c38a8f613d 100644
--- a/synapse/__init__.py
+++ b/synapse/__init__.py
@@ -48,7 +48,7 @@ try:
except ImportError:
pass
-__version__ = "1.23.0"
+__version__ = "1.23.1"
if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
# We import here so that we don't have to install a bunch of deps when
|
