This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
v1.23.1
erikjohnston
released this
09 Dec 11:16
·
5544 commits
to develop
since this release
Synapse 1.23.1 (2020-12-09)
Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.
Security advisory
The following issues are fixed in v1.23.1 and v1.24.0.
-
There is a denial of service attack (CVE-2020-26257) against the federation APIs in which future events will not be correctly sent to other servers over federation. This affects all servers that participate in open federation. (Fixed in #8776).
-
Synapse may be affected by OpenSSL CVE-2020-1971. Synapse administrators should ensure that they have the latest versions of the cryptography Python package installed.
To upgrade Synapse along with the cryptography package:
- Administrators using the
matrix.org
Docker image or the Debian/Ubuntu packages frommatrix.org
should ensure that they have version 1.24.0 or 1.23.1 installed: these images include the updated packages. - Administrators who have installed Synapse from source should upgrade the cryptography package within their virtualenv by running:
<path_to_virtualenv>/bin/pip install 'cryptography>=3.3'
- Administrators who have installed Synapse from distribution packages should consult the information from their distributions.
Bugfixes
- Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body. (#8776)
Internal Changes
- Add a maximum version for pysaml2 on Python 3.5. (#8898)