diff options
| author | Patrick Cloke <patrickc@matrix.org> | 2020-10-15 10:43:54 -0400 |
|---|---|---|
| committer | Patrick Cloke <patrickc@matrix.org> | 2020-10-15 10:43:54 -0400 |
| commit | 74976a8e43b9ab1d06b3142a8197dfb1e3626c6d (patch) | |
| tree | 36411bd6c8fd337b08a56d963e2ce9cfeb6b24a6 | |
| parent | Merge branch 'release-v1.21.2' into develop (diff) | |
| parent | Additional tweaks. (diff) | |
| download | synapse-74976a8e43b9ab1d06b3142a8197dfb1e3626c6d.tar.xz | |
Merge branch 'master' into develop
| -rw-r--r-- | CHANGES.md | 24 | ||||
| -rw-r--r-- | changelog.d/8530.bugfix | 1 | ||||
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | synapse/__init__.py | 2 |
4 files changed, 32 insertions, 2 deletions
diff --git a/CHANGES.md b/CHANGES.md index 75dc5fa893..38a0814bbf 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,27 @@ +Synapse 1.21.2 (2020-10-15) +=========================== + +Debian packages and Docker images have been rebuilt using the latest versions of dependency libraries, including authlib 0.15.1. Please see bugfixes below. + +Security advisory +----------------- + +* HTML pages served via Synapse were vulnerable to cross-site scripting (XSS) + attacks. All server administrators are encouraged to upgrade. + ([\#8444](https://github.com/matrix-org/synapse/pull/8444)) + ([CVE-2020-26891](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26891)) + + This fix was originally included in v1.21.0 but was missing a security advisory. + + This was reported by [Denis Kasak](https://github.com/dkasak). + +Bugfixes +-------- + +- Fix rare bug where sending an event would fail due to a racey assertion. ([\#8530](https://github.com/matrix-org/synapse/issues/8530)) +- An updated version of the authlib dependency is included in the Docker and Debian images to fix an issue using OpenID Connect. See [\#8534](https://github.com/matrix-org/synapse/issues/8534) for details. + + Synapse 1.21.1 (2020-10-13) =========================== diff --git a/changelog.d/8530.bugfix b/changelog.d/8530.bugfix deleted file mode 100644 index 443d88424e..0000000000 --- a/changelog.d/8530.bugfix +++ /dev/null @@ -1 +0,0 @@ -Fix rare bug where sending an event would fail due to a racey assertion. diff --git a/debian/changelog b/debian/changelog index eeafd4f50a..8d873a4845 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +matrix-synapse-py3 (1.21.2) stable; urgency=medium + + [ Synapse Packaging team ] + * New synapse release 1.21.2. + + -- Synapse Packaging team <packages@matrix.org> Thu, 15 Oct 2020 09:23:27 -0400 + matrix-synapse-py3 (1.21.1) stable; urgency=medium [ Synapse Packaging team ] diff --git a/synapse/__init__.py b/synapse/__init__.py index 722b53a67d..83b8e4897f 100644 --- a/synapse/__init__.py +++ b/synapse/__init__.py @@ -48,7 +48,7 @@ try: except ImportError: pass -__version__ = "1.21.1" +__version__ = "1.21.2" if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)): # We import here so that we don't have to install a bunch of deps when |