diff options
author | Patrick Cloke <patrickc@matrix.org> | 2020-07-02 10:34:28 -0400 |
---|---|---|
committer | Patrick Cloke <patrickc@matrix.org> | 2020-07-02 10:35:59 -0400 |
commit | e8c36e527d4e817b09abf96cc2cb342c699316d0 (patch) | |
tree | e1b0e3a4988f33625cda07fc7d3677baa25b6430 /CHANGES.md | |
parent | Correctly handle outliers as prev events over federation (diff) | |
download | synapse-e8c36e527d4e817b09abf96cc2cb342c699316d0.tar.xz |
1.15.2
Diffstat (limited to '')
-rw-r--r-- | CHANGES.md | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index 9a30a2e901..25ec35025e 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,23 @@ +Synapse 1.15.2 (2020-07-02) +=========================== + +Due to the two security issues highlight below, server administrators are +encouraged to update Synapse. We are not aware of these vulnerabilities being +exploited in the wild. + +Security advisory +----------------- + +* A malicious homeserver could force Synapse to reset the state in a room to a + small subset of the correct state. This affects all Synapse deployments which + federate with untrusted servers. +* HTML pages served via Synapse were vulnerable to clickjacking attacks. This + predominantly affects homeservers with single-sign-on enabled, but all server + administrators are encouraged to upgrade. + + This was reported by [Quentin Gliech](https://sandhose.fr/). + + Synapse 1.15.1 (2020-06-16) =========================== |