This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
v1.93.0
Synapse 1.93.0 (2023-09-26)
No significant changes since 1.93.0rc1.
Security advisory
The following issues are fixed in 1.93.0 (and RCs).
-
GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity
Temporary storage of plaintext passwords during password changes.
-
GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity
Improper validation of receipts allows forged read receipts.
See the advisories for more details. If you have any questions, email security@matrix.org.
Synapse 1.93.0rc1 (2023-09-19)
Features
- Add automatic purge after all users have forgotten a room. (#15488)
- Restore room purge/shutdown after a Synapse restart. (#15488)
- Support resolving homeservers using
matrix-fed
DNS SRV records from MSC4040. (#16137) - Add the ability to use
G
(GiB) andT
(TiB) suffixes in configuration options that refer to numbers of bytes. (#16219) - Add span information to requests sent to appservices. Contributed by MTRNord. (#16227)
- Add the ability to enable/disable registrations when using CAS. Contributed by Aurélien Grimpard. (#16262)
- Allow the
/notifications
endpoint to be routed to workers. (#16265) - Enable users to easily unsubscribe to notifications emails via the
List-Unsubscribe
header. (#16274) - Report whether a user is
locked
in the List Accounts admin API, and exclude locked users by default. (#16328)
Bugfixes
- Fix a long-standing bug where multi-device accounts could cause high load due to presence. (#16066, #16170, #16171, #16172, #16174)
- Fix a long-standing bug where appservices using MSC2409 to receive
to_device
messages would only get messages for one user. (#16251) - Fix bug when using workers where Synapse could end up re-requesting the same remote device repeatedly. (#16252)
- Fix long-standing bug where we kept re-requesting a remote server's key repeatedly, potentially causing delays in receiving events over federation. (#16257)
- Avoid temporary storage of sensitive information. (#16272)
- Fix bug introduced in Synapse 1.49.0 when using dehydrated devices (MSC2697) and refresh tokens. Contributed by Hanadi. (#16288)
- Fix a long-standing bug where invalid receipts would be accepted. (#16327)
- Use standard name for UTF-8 charset in emails. (#16329)
- Don't try refetching device lists for users on remote hosts that are marked as "down". (#16298)
Improved Documentation
- Fix typos in the documentation. (#16282)
- Link to the Alpine Linux community package for Synapse. (#16304)
- Use string for
federation_client_minimum_tls_version
documentation examples. Contributed by @jcgruenhage. (#16353)
Internal Changes
- Allow modules to delete rooms. (#15997)
- Add GCC and GNU Make to the Nix flake development environment so that
ruff
can be compiled. (#16090, #16263) - Fix type checking when using the new version of Twisted. (#16235)
- Delete device messages asynchronously and in staged batches using the task scheduler. (#16240, #16311, #16312, #16313)
- Bump minimum supported Rust version to 1.61.0. (#16248)
- Update rust to version 1.71.1 in the nix development environment. (#16260)
- Simplify server key storage. (#16261)
- Reduce CPU overhead of change password endpoint. (#16264)
- Stop purging from tables slated for removal. (#16273)
- Improve type hints. (#16276, #16301, #16325, #16326)
- Raise
setuptools_rust
version cap to 1.7.0. (#16277) - Fix using the new task scheduler causing lots of CPU to be used. (#16278)
- Upgrade CI run of Python 3.12 from rc1 to rc2. (#16280)
- Include values in SQL debug when using
execute_values
with Postgres. (#16281) - Enable additional linting checks. (#16283)
- Refactor
receipts_graph
Postgres transactions to stop error messages. (#16299) - Small improvements to logging in replication code. (#16309)
- Remove a reference cycle in background processes. (#16314)
- Only use literal strings for background process names. (#16315)
- Refactor
get_user_by_id
. (#16316) - Speed up task to delete to-device messages. (#16318)
- Avoid patching code in tests. (#16349)
- Test against PostgreSQL 16. (#16351)
Updates to locked dependencies
- Bump mypy from 1.4.1 to 1.5.1. (#16300)
- Bump black from 23.7.0 to 23.9.1. (#16295)
- Bump docker/build-push-action from 4 to 5. (#16336)
- Bump docker/login-action from 2 to 3. (#16339)
- Bump docker/metadata-action from 4 to 5. (#16337)
- Bump docker/setup-qemu-action from 2 to 3. (#16338)
- Bump furo from 2023.8.19 to 2023.9.10. (#16340)
- Bump gitpython from 3.1.32 to 3.1.35. (#16267, #16279)
- Bump mypy-zope from 1.0.0 to 1.0.1. (#16291)
- Bump pillow from 10.0.0 to 10.0.1. (#16344)
- Bump regex from 1.9.4 to 1.9.5. (#16233)
- Bump ruff from 0.0.286 to 0.0.290. (#16342)
- Bump serde_json from 1.0.105 to 1.0.107. (#16296, #16345)
- Bump twisted from 22.10.0 to 23.8.0. (#16235)
- Bump types-pillow from 10.0.0.2 to 10.0.0.3. (#16293)
- Bump types-setuptools from 68.0.0.3 to 68.2.0.0. (#16292)
- Bump typing-extensions from 4.7.1 to 4.8.0. (#16341)