| tag name | v1.24.0 (e7c7d12045c59a3bddea17517d1762e61378c9c6) |
| tag date | 2020-12-09 11:09:50 +0000 |
| tagged by | Erik Johnston <erik@matrix.org> |
| tagged object | commit 9b26a4ac87... |
| download | synapse-1.24.0.tar.xz |
|---|
Synapse 1.24.0 (2020-12-09)
=========================== Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild. Security advisory ----------------- The following issues are fixed in v1.23.1 and v1.24.0. - There is a denial of service attack ([CVE-2020-26257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26257)) against the federation APIs in which future events will not be correctly sent to other servers over federation. This affects all servers that participate in open federation. (Fixed in [#8776](https://github.com/matrix-org/synapse/pull/8776)). - Synapse may be affected by OpenSSL [CVE-2020-1971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971). Synapse administrators should ensure that they have the latest versions of the cryptography Python package installed. To upgrade Synapse along with the cryptography package: * Administrators using the [`matrix.org` Docker image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu packages from `matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages) should ensure that they have version 1.24.0 or 1.23.1 installed: these images include the updated packages. * Administrators who have [installed Synapse from source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source) should upgrade the cryptography package within their virtualenv by running: ```sh <path_to_virtualenv>/bin/pip install 'cryptography>=3.3' ``` * Administrators who have installed Synapse from distribution packages should consult the information from their distributions. Internal Changes ---------------- - Add a maximum version for pysaml2 on Python 3.5. ([\#8898](https://github.com/matrix-org/synapse/issues/8898)) -----BEGIN PGP SIGNATURE----- iQFEBAABCgAuFiEEBTGR3/RnAzBGUif3pULk7RsPrAkFAl/QsIsQHGVyaWtAbWF0 cml4Lm9yZwAKCRClQuTtGw+sCXkpCACrOY0AJ65jbcVjwW3OYAF4u+TvTmbdGPBA 33ux+DItR8KtjthWVMotIfO6dElr7mWKVetVxB3OcsBW0iFBa+zXouDIaL+B0I/K 10SeKCqVpelEYuWQA2oLlsKQpDLkVqV44k5Ri7eMLDorzOR3BVYg0+VtSCuhNyUw dqYwo9pggWGhLZuDYmSeWFywhHdaCCB9nl23N8oj9rcBzvXw68w7as3gUQmsh7Du bT3l+D13dSRCQWYp238lz4FMOiHAIdo9nkOBmPrTjersExdcZhlQMjMow8uX/CB/ I1UXrDSar4M39cr2IuUR6jydCP9Rvg4YXEesVjfViqj9Ac7PL1rU =WaZ7 -----END PGP SIGNATURE-----