Synapse 1.21.2 (2020-10-15)

===========================

Debian packages and Docker images have been rebuilt using the latest versions of dependency libraries, including authlib 0.15.1. Please see bugfixes below.

Security advisory
-----------------

* HTML pages served via Synapse were vulnerable to cross-site scripting (XSS)
  attacks. All server administrators are encouraged to upgrade.
  ([\#8444](https://github.com/matrix-org/synapse/pull/8444))
  ([CVE-2020-26891](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26891))

  This fix was originally included in v1.21.0 but was missing a security advisory.

  This was reported by [Denis Kasak](https://github.com/dkasak).

Bugfixes
--------

- Fix rare bug where sending an event would fail due to a racey assertion. ([\#8530](https://github.com/matrix-org/synapse/issues/8530))
- An updated version of the authlib dependency is included in the Docker and Debian images to fix an issue using OpenID Connect. See [\#8534](https://github.com/matrix-org/synapse/issues/8534) for details.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEF3tZXk38tRDFVnUIM/xY9qcRMEgFAl+IXr8ACgkQM/xY9qcR
MEjdLw//ZCU64ijcd36yn+gXmkCduOIiNiYKX1S15hKDp8VxLXWmQlmdWCcWXSSg
+Nx18y9K03Na6PLVyFwEWZ6lV7kcBYnZ2zN0SIP1o8vR8QLpoFZndm6TshS6a6QA
I1Mx1yD2Q71eTCkJTAKHofXF8/S8f9JVC66YS9iuLFkrssoqCKRemAtSBrQInhCh
HZpHeaXCNyrzaLYgAo8V3ngL5CFtWikCZjFa5hzcEL1+8dd/Tf/RhDea/RLIjfem
5CHVwkxquPrfY3wKtFDYrM2eYXq2ciArWK6uBydVolccdBGiZanjsicJjpTGgMMB
eFsp+D+lU6ELDEmU7L1P24hF3Uc6Gt+Knd7G/8KaNSZORK8sFgVaHEj5dqIWolUU
FlEVByiBlWLLTm0CIPvTGDKIoLvcI8GQYdn6cQMCALX4oZdl/TqwAZbGL5O5J1Mr
s1hvI3ZhtfltccrAiLQiwnY7xGsCE0P5VGvIDzsUpBYA3AUJL0rHRk/dD49mPWR6
cLn2mQRoyvycwpC2u2PHwGIN3p/X3KQylL41llgLBp9pNDIme4soMDU/t21OU2/5
ot+RtmKDZAnpL2SBpFAROh2RyeBmjCu75P6aAj9JfKTfHwddp8sWbSGydzuxg+I7
OmX2LUH1bJ4ALRAqP/QFqP4dy/J2L2IDkQzSpjjiK5sgvPGiosM=
=NLcK
-----END PGP SIGNATURE-----