diff options
| author | Patrick Cloke <patrickc@matrix.org> | 2020-07-02 10:55:41 -0400 |
|---|---|---|
| committer | Patrick Cloke <patrickc@matrix.org> | 2020-07-02 10:55:41 -0400 |
| commit | 4d978d7db4448e3cb526ee1087aeab578a31ac71 (patch) | |
| tree | 872c47b3fb4843e720b4c785cbcb9e87a95779ae /CHANGES.md | |
| parent | Hack to add push priority to push notifications (#7765) (diff) | |
| parent | Merge tag 'v1.15.2' (diff) | |
| download | synapse-4d978d7db4448e3cb526ee1087aeab578a31ac71.tar.xz | |
Merge branch 'master' into develop
Diffstat (limited to 'CHANGES.md')
| -rw-r--r-- | CHANGES.md | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index d7755702a6..2c21169bca 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -72,6 +72,26 @@ Internal Changes - Add some metrics for inbound and outbound federation latencies: `synapse_federation_server_pdu_process_time` and `synapse_event_processing_lag_by_event`. ([\#7755](https://github.com/matrix-org/synapse/issues/7755)) +Synapse 1.15.2 (2020-07-02) +=========================== + +Due to the two security issues highlighted below, server administrators are +encouraged to update Synapse. We are not aware of these vulnerabilities being +exploited in the wild. + +Security advisory +----------------- + +* A malicious homeserver could force Synapse to reset the state in a room to a + small subset of the correct state. This affects all Synapse deployments which + federate with untrusted servers. ([96e9afe6](https://github.com/matrix-org/synapse/commit/96e9afe62500310977dc3cbc99a8d16d3d2fa15c)) +* HTML pages served via Synapse were vulnerable to clickjacking attacks. This + predominantly affects homeservers with single-sign-on enabled, but all server + administrators are encouraged to upgrade. ([ea26e9a9](https://github.com/matrix-org/synapse/commit/ea26e9a98b0541fc886a1cb826a38352b7599dbe)) + + This was reported by [Quentin Gliech](https://sandhose.fr/). + + Synapse 1.15.1 (2020-06-16) =========================== |