Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

v1.23.1

Compare
Choose a tag to compare
@erikjohnston erikjohnston released this 09 Dec 11:16
· 5544 commits to develop since this release
v1.23.1

Synapse 1.23.1 (2020-12-09)

Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.

Security advisory

The following issues are fixed in v1.23.1 and v1.24.0.

  • There is a denial of service attack (CVE-2020-26257) against the federation APIs in which future events will not be correctly sent to other servers over federation. This affects all servers that participate in open federation. (Fixed in #8776).

  • Synapse may be affected by OpenSSL CVE-2020-1971. Synapse administrators should ensure that they have the latest versions of the cryptography Python package installed.

To upgrade Synapse along with the cryptography package:

  • Administrators using the matrix.org Docker image or the Debian/Ubuntu packages from matrix.org should ensure that they have version 1.24.0 or 1.23.1 installed: these images include the updated packages.
  • Administrators who have installed Synapse from source should upgrade the cryptography package within their virtualenv by running:
    <path_to_virtualenv>/bin/pip install 'cryptography>=3.3'
  • Administrators who have installed Synapse from distribution packages should consult the information from their distributions.

Bugfixes

  • Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body. (#8776)

Internal Changes

  • Add a maximum version for pysaml2 on Python 3.5. (#8898)