| tag name | v1.120.1 (5f9aff480cd0ae375b0ac0d6154ca197690e7379) |
| tag date | 2024-12-03 15:58:21 +0100 |
| tagged by | Quentin Gliech <quenting@element.io> |
| tagged object | commit fe3d88b833... |
| download | synapse-1.120.1.tar.xz |
|---|
This patch release fixes multiple security vulnerabilities, some affecting all prior versions of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild.
Administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below. The following issues are fixed in 1.120.1. - [GHSA-rfq8-j7rh-8hf2](https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2) / [CVE-2024-52805](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52805): **Unsupported content types can lead to memory exhaustion** Synapse instances which have a high `max_upload_size` and which don't have a reverse proxy in front of them that would otherwise limit upload size are affected. Fixed by [4b7154c58501b4bf5e1c2d6c11ebef96529f2fdf](https://github.com/element-hq/synapse/commit/4b7154c58501b4bf5e1c2d6c11ebef96529f2fdf). - [GHSA-f3r3-h2mq-hx2h](https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h) / [CVE-2024-52815](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52815): **Malicious invites via federation can break a user's sync** Fixed by [d82e1ed357b7ee21dff83d06cba7a67840cfd464](https://github.com/element-hq/synapse/commit/d82e1ed357b7ee21dff83d06cba7a67840cfd464). - [GHSA-vp6v-whfm-rv3g](https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g) / [CVE-2024-53863](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53863): **Synapse can be forced to thumbnail unexpected file formats, invoking potentially untrustworthy decoders** Fixed by [b64a4e5fbbbf119b6c65aedf0d999b4237d55503](https://github.com/element-hq/synapse/commit/b64a4e5fbbbf119b6c65aedf0d999b4237d55503). - [GHSA-56w4-5538-8v8h](https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h) / [CVE-2024-53867](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53867): **The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room** Non-state events, like messages, are unaffected. Synapse instances can disable the Sliding Sync feature by setting `experimental_features.msc3575_enabled` to `false` in the configuration file. Fixed by [4daa533e82f345ce87b9495d31781af570ba3ead](https://github.com/element-hq/synapse/commit/4daa533e82f345ce87b9495d31781af570ba3ead). See the advisories for more details. If you have any questions, email [security at element.io](mailto:security@element.io). - Fix release process to not create duplicate releases. ([\#17970](https://github.com/element-hq/synapse/issues/17970)) -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE7qit+jwB/tnnqkQqItYrhFUnGfwFAmdPHI0ACgkQItYrhFUn Gfz+Jw/8D0Z7BV+aeDW/f2jMV3bwWaD1S3I/R38RebqdNxVzSDR6FXyXPpdgMCoX wI6rsuhzWX774WKKVCUToKu0ggtUsT5xe1rBnB/d3HvZFlDkvNPB+s6f9hxKvJd1 n1E6n1A6ylyY0ekLDcwjmp2U2gAoSlCTpZm9bidaYtCjmQAnUK/0NCtCCVy/fEMb 6iZMKris3ibEtcJwS3Yw5U9AXHWotaqtnNs2cF0vDCYaZmpRdpVGqKFBwsgjlGLS E+BA/MXTD6GYryacoMxzMpTcr6jfNiLPiPnvVbkHds/ziMWgY05zgSSNcrJmgsNt B379Xgryzsl02p03zWfesxkDNAGYw/0nAYsdq/gvyJ4xEBD92kFSAzarB144ByFq 3A/gsog4vYoB/5rPT05e694iefqknDe+CduMPRzvIrhAs9pcPyHCe7Ska1+D/QvE 6YZkbZLG1bRCuPi7PbjBOmSqHTX3+bv4eOVzE/0p6nxnXdnH4qzJBj7yy8YavD6q 2/rLM/l4UYNUqJMdSANTjBrUtrwTnuiGBtM1nYSRhJ3LW/3hjZNlYrRBpraygYGc 8D1B7wkMLJUIgb+Ew8hMg26VAL/4lK6+0QHTXRWA8Xj8Rss5FP/21YjGL4heC3eW XqZltP/UfydKO6UMBr2VtGyrEnHwveGKtV9uK/MoZlvXaB/M7PA= =4fpA -----END PGP SIGNATURE-----