Add additional release notes.

author: Patrick Cloke <patrickc@matrix.org> 2020-10-15 10:18:02 -0400
committer: Patrick Cloke <patrickc@matrix.org> 2020-10-15 10:18:02 -0400
commit: f49708dee3c46be87a23a934ecba17e7e58d4b16 (patch)
tree: 9da3545add8672988c4896c8fdb9860e8a2d7085
parent: 1.21.2 (diff)
download: synapse-f49708dee3c46be87a23a934ecba17e7e58d4b16.tar.xz
1 files changed, 13 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 6ef499bd9e..af5a9bafb8 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,10 +1,23 @@
 Synapse 1.21.2 (2020-10-15)
 ===========================
 
+Security advisory
+-----------------
+
+* HTML pages served via Synapse were vulernable to cross-site scripting (XSS)
+  attacks. All server administrators are encouraged to upgrade.
+  ([34ff8da8](https://github.com/matrix-org/synapse/commit/34ff8da83b54024289f515c6d73e6b486574d699))
+  ([CVE-2020-26891](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26891))
+
+  This fix was originally included in v1.21.0 but was missing a security advisory.
+
+  This was reported by [Denis Kasak](https://github.com/dkasak).
+
 Bugfixes
 --------
 
 - Fix rare bug where sending an event would fail due to a racey assertion. ([\#8530](https://github.com/matrix-org/synapse/issues/8530))
+- Fix issues introduced in the packaging of v1.21.1 when using OpenID Connect with the Docker or Debian packages by including an updated version of the authlib dependency.
 
 
 Synapse 1.21.1 (2020-10-13)
author	Patrick Cloke <patrickc@matrix.org>	2020-10-15 10:18:02 -0400
committer	Patrick Cloke <patrickc@matrix.org>	2020-10-15 10:18:02 -0400
commit	f49708dee3c46be87a23a934ecba17e7e58d4b16 (patch)
tree	9da3545add8672988c4896c8fdb9860e8a2d7085
parent	1.21.2 (diff)
download	synapse-f49708dee3c46be87a23a934ecba17e7e58d4b16.tar.xz