summary refs log tree commit diff
path: root/CHANGES.md
diff options
context:
space:
mode:
authorMathieu Velten <mathieuv@matrix.org>2023-09-18 16:55:05 +0200
committerMathieu Velten <mathieuv@matrix.org>2023-09-18 16:55:05 +0200
commit1f36041c80df4f72c6b41d8c8458541370b1ce7c (patch)
tree901705eb339a9ab5dabd0c633ed6044cd654d07b /CHANGES.md
parentStop patching EventBase.__eq__ in tests. (#16349) (diff)
parentUpdate changelog (diff)
downloadsynapse-1f36041c80df4f72c6b41d8c8458541370b1ce7c.tar.xz
Merge branch 'master' into develop
Diffstat (limited to '')
-rw-r--r--CHANGES.md19
1 files changed, 19 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 37ea886a81..b59503e083 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,22 @@
+# Synapse 1.92.3 (2023-09-18)
+
+This is again a security update targeted at mitigating [CVE-2023-4863](https://cve.org/CVERecord?id=CVE-2023-4863).
+It turns out that libwebp is bundled statically in Pillow wheels so we need to update this dependency instead of
+libwebp package at the OS level.
+
+Unlike what was advertised in 1.92.2 changelog this release also impacts PyPI wheels and Debian packages from matrix.org.
+
+We encourage admins to upgrade as soon as possible.
+
+
+### Internal Changes
+
+- Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels. ([\#16347](https://github.com/matrix-org/synapse/issues/16347))
+
+### Updates to locked dependencies
+
+* Bump pillow from 10.0.0 to 10.0.1. ([\#16344](https://github.com/matrix-org/synapse/issues/16344))
+
 # Synapse 1.92.2 (2023-09-15)
 
 This is a Docker-only update to mitigate [CVE-2023-4863](https://cve.org/CVERecord?id=CVE-2023-4863), a critical vulnerability in `libwebp`. Server admins not using Docker should ensure that their `libwebp` is up to date (if installed). We encourage admins to upgrade as soon as possible.