1.15.2

author: Patrick Cloke <patrickc@matrix.org> 2020-07-02 10:34:28 -0400
committer: Patrick Cloke <patrickc@matrix.org> 2020-07-02 10:35:59 -0400
commit: e8c36e527d4e817b09abf96cc2cb342c699316d0 (patch)
tree: e1b0e3a4988f33625cda07fc7d3677baa25b6430 /CHANGES.md
parent: Correctly handle outliers as prev events over federation (diff)
download: synapse-e8c36e527d4e817b09abf96cc2cb342c699316d0.tar.xz
1 files changed, 20 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 9a30a2e901..25ec35025e 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,23 @@
+Synapse 1.15.2 (2020-07-02)
+===========================
+
+Due to the two security issues highlight below, server administrators are
+encouraged to update Synapse. We are not aware of these vulnerabilities being
+exploited in the wild.
+
+Security advisory
+-----------------
+
+* A malicious homeserver could force Synapse to reset the state in a room to a
+  small subset of the correct state. This affects all Synapse deployments which
+  federate with untrusted servers.
+* HTML pages served via Synapse were vulnerable to clickjacking attacks. This
+  predominantly affects homeservers with single-sign-on enabled, but all server
+  administrators are encouraged to upgrade.
+
+  This was reported by [Quentin Gliech](https://sandhose.fr/).
+
+
 Synapse 1.15.1 (2020-06-16)
 ===========================
author	Patrick Cloke <patrickc@matrix.org>	2020-07-02 10:34:28 -0400
committer	Patrick Cloke <patrickc@matrix.org>	2020-07-02 10:35:59 -0400
commit	e8c36e527d4e817b09abf96cc2cb342c699316d0 (patch)
tree	e1b0e3a4988f33625cda07fc7d3677baa25b6430 /CHANGES.md
parent	Correctly handle outliers as prev events over federation (diff)
download	synapse-e8c36e527d4e817b09abf96cc2cb342c699316d0.tar.xz