diff options
| author | Richard van der Hoff <richard@matrix.org> | 2021-08-31 14:09:48 +0100 |
|---|---|---|
| committer | Richard van der Hoff <richard@matrix.org> | 2021-08-31 14:09:48 +0100 |
| commit | 5d9e7e0c713b5c0057f9e53720f25ecf4d296e66 (patch) | |
| tree | 7af953959712e93f240c5fac91b2d299a19fe7f8 /CHANGES.md | |
| parent | Advertise matrix-org.github.io/synapse docs (#10595) (diff) | |
| parent | 1.41.1 (diff) | |
| download | synapse-5d9e7e0c713b5c0057f9e53720f25ecf4d296e66.tar.xz | |
Merge branch 'master' into develop
Diffstat (limited to 'CHANGES.md')
| -rw-r--r-- | CHANGES.md | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index 24f3d53a6d..7046c336a0 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,5 +1,36 @@ Users will stop receiving message updates via email for addresses that were previously linked to their account +Synapse 1.41.1 (2021-08-31) +=========================== + +Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild. + +Security advisory +----------------- + +The following issues are fixed in v1.41.1. + +- **[GHSA-3x4c-pq33-4w3q](https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q) / [CVE-2021-39164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39164): Enumerating a private room's list of members and their display names.** + + If an unauthorized user both knows the Room ID of a private room *and* that room's history visibility is set to `shared`, then they may be able to enumerate the room's members, including their display names. + + The unauthorized user must be on the same homeserver as a user who is a member of the target room. + + Fixed by [52c7a51cf](https://github.com/matrix-org/synapse/commit/52c7a51cf). + +- **[GHSA-jj53-8fmw-f2w2](https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2) / [CVE-2021-39163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39163): Disclosing a private room's name, avatar, topic, and number of members.** + + If an unauthorized user knows the Room ID of a private room, then its name, avatar, topic, and number of members may be disclosed through Group / Community features. + + The unauthorized user must be on the same homeserver as a user who is a member of the target room, and their homeserver must allow non-administrators to create groups (`enable_group_creation` in the Synapse configuration; off by default). + + Fixed by [cb35df940a](https://github.com/matrix-org/synapse/commit/cb35df940a), [\#10723](https://github.com/matrix-org/synapse/issues/10723). + +Bugfixes +-------- + +- Fix a regression introduced in Synapse 1.41 which broke email transmission on systems using older versions of the Twisted library. ([\#10713](https://github.com/matrix-org/synapse/issues/10713)) + Synapse 1.41.0 (2021-08-24) =========================== |