summary refs log tree commit diff
path: root/CHANGES.md
diff options
context:
space:
mode:
authorErik Johnston <erik@matrix.org>2023-06-06 09:55:42 +0100
committerErik Johnston <erik@matrix.org>2023-06-06 09:55:42 +0100
commit564f37aca6fdf404edc65031f90bbf9385794ae2 (patch)
tree3e7c898f176135a9e14fd428955e081f023c262c /CHANGES.md
parent1.85.0rc2 (diff)
downloadsynapse-564f37aca6fdf404edc65031f90bbf9385794ae2.tar.xz
1.85.0
Diffstat (limited to 'CHANGES.md')
-rw-r--r--CHANGES.md21


1 files changed, 21 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md

index f0885a2f1e..100ce99270 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,24 @@
+Synapse 1.85.0 (2023-06-06)
+===========================
+
+No significant changes since 1.85.0rc2.
+
+
+## Security advisory
+
+The following issues are fixed in 1.85.0.
+
+- [GHSA-26c5-ppr8-f33p](https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p) / [CVE-2023-32682](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32683) — Low Severity
+
+  It may be possible for a deactivated user to login when using uncommon configurations.
+
+- [GHSA-98px-6486-j7qc](https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc) / [CVE-2023-32683](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32683) — Low Severity
+
+  A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs).
+
+See the advisories for more details. If you have any questions, email security@matrix.org.
+
+
 Synapse 1.85.0rc2 (2023-06-01)
 ==============================
 

 

generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-03-28 16:54:26 +0000