diff options
| author | Mathieu Velten <mathieuv@matrix.org> | 2023-09-18 16:55:05 +0200 |
|---|---|---|
| committer | Mathieu Velten <mathieuv@matrix.org> | 2023-09-18 16:55:05 +0200 |
| commit | 1f36041c80df4f72c6b41d8c8458541370b1ce7c (patch) | |
| tree | 901705eb339a9ab5dabd0c633ed6044cd654d07b | |
| parent | Stop patching EventBase.__eq__ in tests. (#16349) (diff) | |
| parent | Update changelog (diff) | |
| download | synapse-1f36041c80df4f72c6b41d8c8458541370b1ce7c.tar.xz | |
Merge branch 'master' into develop
| -rw-r--r-- | CHANGES.md | 19 | ||||
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | pyproject.toml | 2 |
3 files changed, 26 insertions, 1 deletions
diff --git a/CHANGES.md b/CHANGES.md index 37ea886a81..b59503e083 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,22 @@ +# Synapse 1.92.3 (2023-09-18) + +This is again a security update targeted at mitigating [CVE-2023-4863](https://cve.org/CVERecord?id=CVE-2023-4863). +It turns out that libwebp is bundled statically in Pillow wheels so we need to update this dependency instead of +libwebp package at the OS level. + +Unlike what was advertised in 1.92.2 changelog this release also impacts PyPI wheels and Debian packages from matrix.org. + +We encourage admins to upgrade as soon as possible. + + +### Internal Changes + +- Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels. ([\#16347](https://github.com/matrix-org/synapse/issues/16347)) + +### Updates to locked dependencies + +* Bump pillow from 10.0.0 to 10.0.1. ([\#16344](https://github.com/matrix-org/synapse/issues/16344)) + # Synapse 1.92.2 (2023-09-15) This is a Docker-only update to mitigate [CVE-2023-4863](https://cve.org/CVERecord?id=CVE-2023-4863), a critical vulnerability in `libwebp`. Server admins not using Docker should ensure that their `libwebp` is up to date (if installed). We encourage admins to upgrade as soon as possible. diff --git a/debian/changelog b/debian/changelog index 79e7fccfca..254ca26fd8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +matrix-synapse-py3 (1.92.3) stable; urgency=medium + + * New Synapse release 1.92.3. + + -- Synapse Packaging team <packages@matrix.org> Mon, 18 Sep 2023 15:05:04 +0200 + matrix-synapse-py3 (1.92.2) stable; urgency=medium * New Synapse release 1.92.2. diff --git a/pyproject.toml b/pyproject.toml index 9c9a5dc2bc..7f1e773159 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -95,7 +95,7 @@ manifest-path = "rust/Cargo.toml" [tool.poetry] name = "matrix-synapse" -version = "1.92.2" +version = "1.92.3" description = "Homeserver for the Matrix decentralised comms protocol" authors = ["Matrix.org Team and Contributors <packages@matrix.org>"] license = "Apache-2.0" |