fix conflict in changelog from previous release

author: Neil Johnson <neil@fragile.org.uk> 2018-05-01 18:52:44 +0100
committer: Neil Johnson <neil@fragile.org.uk> 2018-05-01 18:52:44 +0100
commit: 40d1bbd257567740b9b8d08caeed4d3dae2a6aa4 (patch)
tree: d42e105d71b2173ee58d85e43ca4d83431188adc /CHANGES.rst
parent: Update CHANGES.rst (diff)
parent: changelog for 0.28.1 (diff)
download: synapse-40d1bbd257567740b9b8d08caeed4d3dae2a6aa4.tar.xz
1 files changed, 22 insertions, 1 deletions
diff --git a/CHANGES.rst b/CHANGES.rst
index 40d13c6484..49dac25ca0 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -1,5 +1,26 @@
+Changes in synapse v0.28.1 (2018-05-01)
+=======================================
+
+SECURITY UPDATE
+
+* Clamp the allowed values of event depth received over federation to be
+  [0, 2**63 - 1].  This mitigates an attack where malicious events
+  injected with depth = 2**63 - 1 render rooms unusable.  Depth is used to
+  determine the cosmetic ordering of events within a room, and so the ordering
+  of events in such a room will default to using stream_ordering rather than depth
+  (topological_ordering).
+
+  This is a temporary solution to mitigate abuse in the wild, whilst a long solution
+  is being implemented to improve how the depth parameter is used.
+
+  Full details at
+  https://docs.google.com/document/d/1I3fi2S-XnpO45qrpCsowZv8P8dHcNZ4fsBsbOW7KABI/edit#
+
+* Pin Twisted to <18.4 until we stop using the private _OpenSSLECCurve API.
+
+
 Changes in synapse v0.28.0 (2018-04-26)
-===========================================
+=======================================
 
 Bug Fixes:
author	Neil Johnson <neil@fragile.org.uk>	2018-05-01 18:52:44 +0100
committer	Neil Johnson <neil@fragile.org.uk>	2018-05-01 18:52:44 +0100
commit	40d1bbd257567740b9b8d08caeed4d3dae2a6aa4 (patch)
tree	d42e105d71b2173ee58d85e43ca4d83431188adc /CHANGES.rst
parent	Update CHANGES.rst (diff)
parent	changelog for 0.28.1 (diff)
download	synapse-40d1bbd257567740b9b8d08caeed4d3dae2a6aa4.tar.xz