diff options
| author | Erik Johnston <erik@matrix.org> | 2020-12-09 10:41:39 +0000 |
|---|---|---|
| committer | Erik Johnston <erik@matrix.org> | 2020-12-09 11:07:41 +0000 |
| commit | 1cec3d145770b52a7588cdf9df552189da634c5f (patch) | |
| tree | 70dfbbd5b219a011ff2661edfcd5ed9c9a0a03bb /CHANGES.md | |
| parent | Fix installing pysaml2 on Python 3.5. (#8898) (diff) | |
| download | synapse-1cec3d145770b52a7588cdf9df552189da634c5f.tar.xz | |
Diffstat (limited to 'CHANGES.md')
| -rw-r--r-- | CHANGES.md | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index 52b2fd6f8f..55f53eb69f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,55 @@ +Synapse 1.23.1 (2020-12-09) +=========================== + +Due to the two security issues highlighted below, server administrators are +encouraged to update Synapse. We are not aware of these vulnerabilities being +exploited in the wild. + +Security advisory +----------------- + +The following issues are fixed in v1.23.1 and v1.24.0. + +- There is a denial of service attack + ([CVE-2020-26257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26257)) + against the federation APIs in which future events will not be correctly sent + to other servers over federation. This affects all servers that participate in + open federation. (Fixed in [#8776](https://github.com/matrix-org/synapse/pull/8776)). + +- Synapse may be affected by OpenSSL + [CVE-2020-1971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971). + Synapse administrators should ensure that they have the latest versions of + the cryptography Python package installed. + +To upgrade Synapse along with the cryptography package: + +* Administrators using the [`matrix.org` Docker + image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu + packages from + `matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages) + should ensure that they have version 1.24.0 or 1.23.1 installed: these images include + the updated packages. +* Administrators who have [installed Synapse from + source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source) + should upgrade the cryptography package within their virtualenv by running: + ```sh + <path_to_virtualenv>/bin/pip install 'cryptography>=3.3' + ``` +* Administrators who have installed Synapse from distribution packages should + consult the information from their distributions. + +Bugfixes +-------- + +- Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body. ([\#8776](https://github.com/matrix-org/synapse/issues/8776)) + + +Internal Changes +---------------- + +- Add a maximum version for pysaml2 on Python 3.5. ([\#8898](https://github.com/matrix-org/synapse/issues/8898)) + + Synapse 1.23.0 (2020-11-18) =========================== |