From edcdc5fd82ccdf3862d811f95b3c93abad8e8578 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 16 Nov 2021 14:34:46 +0000 Subject: 1.47.0rc3 --- CHANGES.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'CHANGES.md') diff --git a/CHANGES.md b/CHANGES.md index a188bd3f4d..8b11cccc1a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,18 @@ +Synapse 1.47.0rc3 (2021-11-16) +============================== + +Bugfixes +-------- + +- Fix a bug introduced in 1.47.0rc1 which caused worker processes to not halt startup in the presence of outstanding database migrations. ([\#11346](https://github.com/matrix-org/synapse/issues/11346)) + + +Internal Changes +---------------- + +- Fix an issue which prevented the 'remove deleted devices from `device_inbox` column' background process from running when updating from a recent Synapse version. ([\#11303](https://github.com/matrix-org/synapse/issues/11303), [\#11353](https://github.com/matrix-org/synapse/issues/11353)) + + Synapse 1.47.0rc2 (2021-11-10) ============================== -- cgit 1.5.1 From 729acd82c86d2b705fee34d0e74ca8215b5b7658 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 16 Nov 2021 14:40:54 +0000 Subject: mark the migration file migration as a bug --- CHANGES.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'CHANGES.md') diff --git a/CHANGES.md b/CHANGES.md index 8b11cccc1a..f528f561c7 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -5,12 +5,7 @@ Bugfixes -------- - Fix a bug introduced in 1.47.0rc1 which caused worker processes to not halt startup in the presence of outstanding database migrations. ([\#11346](https://github.com/matrix-org/synapse/issues/11346)) - - -Internal Changes ----------------- - -- Fix an issue which prevented the 'remove deleted devices from `device_inbox` column' background process from running when updating from a recent Synapse version. ([\#11303](https://github.com/matrix-org/synapse/issues/11303), [\#11353](https://github.com/matrix-org/synapse/issues/11353)) +- Fix a bug in v1.47.0rc1 and rc2 which prevented the 'remove deleted devices from `device_inbox` column' background process from running when updating from a recent Synapse version. ([\#11303](https://github.com/matrix-org/synapse/issues/11303), [\#11353](https://github.com/matrix-org/synapse/issues/11353)) Synapse 1.47.0rc2 (2021-11-10) -- cgit 1.5.1 From 7baa671dc821327cb28eb3eb01ecbe65e5ae4926 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 16 Nov 2021 14:42:21 +0000 Subject: fix up changelog language --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'CHANGES.md') diff --git a/CHANGES.md b/CHANGES.md index f528f561c7..d71ab4a9d5 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -5,7 +5,7 @@ Bugfixes -------- - Fix a bug introduced in 1.47.0rc1 which caused worker processes to not halt startup in the presence of outstanding database migrations. ([\#11346](https://github.com/matrix-org/synapse/issues/11346)) -- Fix a bug in v1.47.0rc1 and rc2 which prevented the 'remove deleted devices from `device_inbox` column' background process from running when updating from a recent Synapse version. ([\#11303](https://github.com/matrix-org/synapse/issues/11303), [\#11353](https://github.com/matrix-org/synapse/issues/11353)) +- Fix a bug introduced in 1.47.0rc1 which prevented the 'remove deleted devices from `device_inbox` column' background process from running when updating from a recent Synapse version. ([\#11303](https://github.com/matrix-org/synapse/issues/11303), [\#11353](https://github.com/matrix-org/synapse/issues/11353)) Synapse 1.47.0rc2 (2021-11-10) -- cgit 1.5.1 From 9f9d82aa846332189e818f51d49daf2335780014 Mon Sep 17 00:00:00 2001 From: David Robertson Date: Wed, 17 Nov 2021 13:10:12 +0000 Subject: 1.47.0 --- CHANGES.md | 6 ++++++ debian/changelog | 6 ++++++ synapse/__init__.py | 2 +- 3 files changed, 13 insertions(+), 1 deletion(-) (limited to 'CHANGES.md') diff --git a/CHANGES.md b/CHANGES.md index d71ab4a9d5..a435d9c592 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,9 @@ +Synapse 1.47.0 (2021-11-17) +=========================== + +No significant changes since 1.47.0rc3. + + Synapse 1.47.0rc3 (2021-11-16) ============================== diff --git a/debian/changelog b/debian/changelog index 2acd0de3f5..ba75d0b251 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +matrix-synapse-py3 (1.47.0) stable; urgency=medium + + * New synapse release 1.47.0. + + -- Synapse Packaging team Wed, 17 Nov 2021 13:09:43 +0000 + matrix-synapse-py3 (1.47.0~rc3) stable; urgency=medium * New synapse release 1.47.0~rc3. diff --git a/synapse/__init__.py b/synapse/__init__.py index 3b5878b912..aa964afb5e 100644 --- a/synapse/__init__.py +++ b/synapse/__init__.py @@ -47,7 +47,7 @@ try: except ImportError: pass -__version__ = "1.47.0rc3" +__version__ = "1.47.0" if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)): # We import here so that we don't have to install a bunch of deps when -- cgit 1.5.1 From 97a402302c5b23ce49671ada42e117f34417f42f Mon Sep 17 00:00:00 2001 From: Sean Quah Date: Fri, 19 Nov 2021 14:08:59 +0000 Subject: 1.47.1 --- CHANGES.md | 23 +++++++++++++++++++++++ debian/changelog | 6 ++++++ synapse/__init__.py | 2 +- 3 files changed, 30 insertions(+), 1 deletion(-) (limited to 'CHANGES.md') diff --git a/CHANGES.md b/CHANGES.md index a435d9c592..22f8452058 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,26 @@ +Synapse 1.47.1 (2021-11-19) +=========================== + +This release fixes a security issue in the media store, affecting all prior releases of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild. + +Server administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below. + +Security advisory +----------------- + +The following issue is fixed in v1.47.1. + +- **[GHSA-3hfw-x7gx-437c](https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c) / [CVE-2021-?????](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-?????): Path traversal when downloading remote media.** + + Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory, potentially outside the media store directory. + + The last two directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. + + Homeservers with the media repository disabled are unaffected. Homeservers configured with a federation whitelist are also unaffected. + + Fixed by [91f2bd090](https://github.com/matrix-org/synapse/commit/91f2bd090). + + Synapse 1.47.0 (2021-11-17) =========================== diff --git a/debian/changelog b/debian/changelog index ba75d0b251..35c9063388 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +matrix-synapse-py3 (1.47.1) stable; urgency=medium + + * New synapse release 1.47.1. + + -- Synapse Packaging team Fri, 19 Nov 2021 13:44:32 +0000 + matrix-synapse-py3 (1.47.0) stable; urgency=medium * New synapse release 1.47.0. diff --git a/synapse/__init__.py b/synapse/__init__.py index aa964afb5e..48ac38aec6 100644 --- a/synapse/__init__.py +++ b/synapse/__init__.py @@ -47,7 +47,7 @@ try: except ImportError: pass -__version__ = "1.47.0" +__version__ = "1.47.1" if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)): # We import here so that we don't have to install a bunch of deps when -- cgit 1.5.1 From 8d4dcac7e906d0c6f3cea0c9581d4b6cc7287703 Mon Sep 17 00:00:00 2001 From: Sean Quah Date: Fri, 19 Nov 2021 14:11:05 +0000 Subject: Update 1.47.1 release date in CHANGES.md --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'CHANGES.md') diff --git a/CHANGES.md b/CHANGES.md index 22f8452058..07a9c8dcda 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,4 +1,4 @@ -Synapse 1.47.1 (2021-11-19) +Synapse 1.47.1 (2021-11-23) =========================== This release fixes a security issue in the media store, affecting all prior releases of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild. -- cgit 1.5.1 From 9c21a68995cb147c5dc40b2d1263623c11498b5f Mon Sep 17 00:00:00 2001 From: Sean Quah Date: Fri, 19 Nov 2021 14:11:35 +0000 Subject: Refer to 1.47.1 without the v --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'CHANGES.md') diff --git a/CHANGES.md b/CHANGES.md index 07a9c8dcda..972f6f18d5 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -8,7 +8,7 @@ Server administrators who are unable to update Synapse may use the workarounds d Security advisory ----------------- -The following issue is fixed in v1.47.1. +The following issue is fixed in 1.47.1. - **[GHSA-3hfw-x7gx-437c](https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c) / [CVE-2021-?????](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-?????): Path traversal when downloading remote media.** -- cgit 1.5.1 From 8fa83999d688bb4c1747f2237002422e566e085f Mon Sep 17 00:00:00 2001 From: Sean Quah Date: Fri, 19 Nov 2021 18:40:13 +0000 Subject: Add CVE number --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'CHANGES.md') diff --git a/CHANGES.md b/CHANGES.md index 972f6f18d5..fde8d7f81a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -10,7 +10,7 @@ Security advisory The following issue is fixed in 1.47.1. -- **[GHSA-3hfw-x7gx-437c](https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c) / [CVE-2021-?????](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-?????): Path traversal when downloading remote media.** +- **[GHSA-3hfw-x7gx-437c](https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c) / [CVE-2021-41281](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41281): Path traversal when downloading remote media.** Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory, potentially outside the media store directory. -- cgit 1.5.1