Commit Graph

256 Commits

Author SHA1 Message Date
Andrew Morgan ab12c909a2 1.50.1 2022-01-18 16:09:04 +00:00
Andrew Morgan 3ba9389699 1.50.0 2022-01-18 10:41:36 +00:00
Olivier Wilkinson (reivilibre) 867443472c 1.50.0rc2 2022-01-14 11:34:57 +00:00
Olivier Wilkinson (reivilibre) 9be5aacc2d 1.50.0rc1 2022-01-05 12:39:48 +00:00
Richard van der Hoff aa874a1390 1.49.2 2021-12-21 17:32:16 +00:00
Richard van der Hoff 8c36d332d5 1.49.1 2021-12-21 11:07:41 +00:00
Olivier Wilkinson (reivilibre) 9f3c7e85a4 1.49.0 2021-12-14 12:56:14 +00:00
Sean Quah 966b5d0fa0 1.49.0rc1 2021-12-07 13:56:09 +00:00
Brendan Abolivier 4bdad80de1 1.48.0 2021-11-30 11:24:21 +00:00
Brendan Abolivier 946c102ac9 1.48.0rc1 2021-11-25 15:57:04 +00:00
Sean Quah 97a402302c 1.47.1 2021-11-19 14:08:59 +00:00
David Robertson 9f9d82aa84
1.47.0 2021-11-17 13:10:12 +00:00
Andrew Morgan edcdc5fd82 1.47.0rc3 2021-11-16 14:34:46 +00:00
Olivier Wilkinson (reivilibre) ef7f9286d1 Move Debian changelog entries to rc2 since rc1 was not published 2021-11-10 09:48:50 +00:00
Olivier Wilkinson (reivilibre) 82e62b488a 1.47.0rc2 2021-11-10 09:44:38 +00:00
Olivier Wilkinson (reivilibre) af6374905a Correct the Debian changelog 2021-11-10 09:37:48 +00:00
Olivier Wilkinson (reivilibre) 01f61da77f 1.47.0rc1 2021-11-09 12:17:35 +00:00
Dan Callahan 556a488209
Address review feedback from #11269 (#11273)
Signed-off-by: Dan Callahan <danc@element.io>
2021-11-08 11:57:37 +00:00
Dan Callahan 9799c569bb
Minor cleanup to Debian packaging (#11269)
* Remove unused Vagrant scripts

* Change package Architecture to any

* Preinstall the wheel package when building venvs.

Addresses the following warnings during Debian builds:

    Using legacy 'setup.py install' for jaeger-client, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for matrix-synapse-ldap3, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for opentracing, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for psycopg2, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for systemd-python, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for pympler, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for threadloop, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for thrift, since package 'wheel' is not installed.

* Allow /etc/default/matrix-synapse to be missing

Per the systemd.exec manpage, prefixing an EnvironmentFile with "-":

> indicates that if the file does not exist, it will not be read and no
> error or warning message is logged.

Signed-off-by: Dan Callahan <danc@element.io>
2021-11-07 21:18:33 +00:00
Erik Johnston 237f7eb87a Merge remote-tracking branch 'origin/master' into develop 2021-11-02 14:28:27 +00:00
Erik Johnston df84ad602b 1.46.0 2021-11-02 13:23:01 +00:00
Dan Callahan 0dffa9d0e0
Merge remote-tracking branch 'origin/develop' into shellcheck
Fixes a merge conflict with debian/changelog

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-27 20:04:00 +01:00
Richard van der Hoff 576921c66a
Force deb compression with `xz`. (#11197)
Fixes a problem where `impish` packages could not be processed by `reprepro`.
2021-10-27 17:06:32 +01:00
Sean Quah cc75a6b1b2 1.46.0rc1 2021-10-26 14:04:51 +01:00
Dan Callahan 1afc6ecae1
Changelog
Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:21:40 +01:00
Dan Callahan d7141e0b8b
Fix Shellcheck SC2006: Use $(...) notation
Use $(...) notation instead of legacy backticked `...`.

https://github.com/koalaman/shellcheck/wiki/SC2006

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:55 +01:00
Dan Callahan 13f084eb58
Fix Shellcheck SC2086: Quote to prevent splitting
Double quote to prevent globbing and word splitting.

https://github.com/koalaman/shellcheck/wiki/SC2086

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:54 +01:00
Dan Callahan 31096132c3
Fix Shellcheck SC2012: Use find instead of ls
Use find instead of ls to better handle non-alphanumeric filenames.

https://github.com/koalaman/shellcheck/wiki/SC2012

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:54 +01:00
Dan Callahan 9d0f9d51d5
Fix Shellcheck SC2016: Single quotes don't expand
Expressions don't expand in single quotes, use double quotes for that.

https://github.com/koalaman/shellcheck/wiki/SC2016

This specifically warned about the '$aregis...' part of the sed script.
Which is a relatively obscure use of sed.

Splitting this into two commands makes its intent more obvious and
avoids contravening Shellcheck's lints.

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:54 +01:00
Dan Callahan bab2bc844c
Fix Shellcheck SC1091: Can't follow file
Not following: (error message here)

https://github.com/koalaman/shellcheck/wiki/SC1091

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:54 +01:00
Dan Callahan 898e3be4c9
Fix Shellcheck SC2064: Use single quotes on traps
Use single quotes, otherwise this expands now rather than when signalled.

https://github.com/koalaman/shellcheck/wiki/SC2064

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:54 +01:00
Dan Callahan 64adbb7b54
Fix Shellcheck SC2046: Quote to prevent word split
Quote this to prevent word splitting

https://www.shellcheck.net/wiki/SC2046

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:53 +01:00
Sean Quah 522489fbcd 1.45.1 2021-10-20 12:00:03 +01:00
David Robertson 8b1185347a
1.45.0 2021-10-19 11:19:55 +01:00
David Robertson 99a4e5222d
1.45.0rc2 2021-10-14 10:59:27 +01:00
Brendan Abolivier 8c5255b664 1.45.0rc1 2021-10-12 10:47:15 +01:00
Nick Barrett c80878d22a
Add `--run-background-updates` option to `update_database` script. (#10954)
Signed-off-by: Nick Barrett <nick@beeper.com>
2021-10-06 11:26:18 +01:00
Brendan Abolivier b2c5e79291 1.44.0 2021-10-05 13:45:24 +01:00
Brendan Abolivier 2d2c6a41fe 1.44.0rc3 2021-10-04 14:57:40 +01:00
Olivier Wilkinson (reivilibre) 3412f5c8d8 1.44.0rc2 2021-09-30 12:40:24 +01:00
Erik Johnston 3c50192d3f 1.44.0rc1 2021-09-28 13:42:21 +01:00
David Robertson c4ef61136f 1.43.0 2021-09-21 11:49:15 +01:00
David Robertson daac1e645c 1.43.0rc2 2021-09-17 10:43:51 +01:00
Andrew Morgan d725e0956f 1.43.0rc1 2021-09-14 11:47:11 +01:00
Azrenbeth 6631321687 1.42.0 2021-09-07 16:20:03 +01:00
Brendan Abolivier e9958d908d 1.42.0rc2 2021-09-06 15:25:23 +01:00
Olivier Wilkinson (reivilibre) 6b2aca473a 1.42.0rc1 2021-09-01 11:47:24 +01:00
Richard van der Hoff a4c8a2f08b 1.41.1 2021-08-31 13:43:28 +01:00
Erik Johnston 6f77a3d433 1.41.0 2021-08-24 15:31:55 +01:00
Erik Johnston 49cb7eae97 1.41.0rc1 2021-08-18 15:52:11 +01:00
Brendan Abolivier b5de77cf86 Merge branch 'master' into develop 2021-08-10 14:23:57 +01:00
Brendan Abolivier 9f7c038272 1.40.0 2021-08-10 13:50:58 +01:00
Brendan Abolivier f8e86b7d2e
Merge branch 'release-v1.40' into develop 2021-08-09 14:44:28 +01:00
Brendan Abolivier ad35b7739e 1.40.0rc3 2021-08-09 13:41:29 +01:00
Erik Johnston a36d77c563 Merge tag 'v1.40.0rc2' into develop
Synapse 1.40.0rc2 (2021-08-04)
==============================

Bugfixes
--------

- Fix the `PeriodicallyFlushingMemoryHandler` inhibiting application shutdown because of its background thread. ([\#10517](https://github.com/matrix-org/synapse/issues/10517))
- Fix a bug introduced in Synapse v1.40.0rc1 that could cause Synapse to respond with an error when clients would update read receipts. ([\#10531](https://github.com/matrix-org/synapse/issues/10531))

Internal Changes
----------------

- Fix release script to open the correct URL for the release. ([\#10516](https://github.com/matrix-org/synapse/issues/10516))
2021-08-05 11:15:29 +01:00
Brendan Abolivier 02c2f631ae 1.40.0rc2 2021-08-04 17:09:27 +01:00
Richard van der Hoff 951648f26a
Fix debian package triggers (#10481)
Replace the outdated list of dpkg triggers with an autogenerated one.
2021-08-03 14:45:21 +01:00
Erik Johnston c8566191fc 1.40.0rc1 2021-08-03 11:32:10 +01:00
Erik Johnston 65f520697d Merge remote-tracking branch 'origin/master' into develop 2021-07-29 16:29:17 +01:00
Erik Johnston 5522a103a9 1.39.0 2021-07-29 09:59:07 +01:00
Erik Johnston 8c201c97ec Synapse 1.39.0rc3 (2021-07-28)
==============================
 
 Bugfixes
 --------
 
 - Fix a bug introduced in Synapse 1.38 which caused an exception at startup when SAML authentication was enabled. ([\#10477](https://github.com/matrix-org/synapse/issues/10477))
 - Fix a long-standing bug where Synapse would not inform clients that a device had exhausted its one-time-key pool, potentially causing problems decrypting events. ([\#10485](https://github.com/matrix-org/synapse/issues/10485))
 - Fix reporting old R30 stats as R30v2 stats. Introduced in v1.39.0rc1. ([\#10486](https://github.com/matrix-org/synapse/issues/10486))
 
 Internal Changes
 ----------------
 
 - Fix an error which prevented the Github Actions workflow to build the docker images from running. ([\#10461](https://github.com/matrix-org/synapse/issues/10461))
 - Fix release script to correctly version debian changelog when doing RCs. ([\#10465](https://github.com/matrix-org/synapse/issues/10465))
 -----BEGIN PGP SIGNATURE-----
 
 iQFEBAABCgAuFiEEBTGR3/RnAzBGUif3pULk7RsPrAkFAmEBUJUQHGVyaWtAbWF0
 cml4Lm9yZwAKCRClQuTtGw+sCWi6CACfA3B7rXfQIO893mctSZkNhtAG/e4o310M
 etvjAtovKmKeFqBvm89FPmFoXvGA2ypoz7Jz2fdkP56DNKIXvihnDc8EeQ3gGawf
 hQ8GBjICOL1e7R/4qzuOCWYdppBGoGNAbz7qyxAUxZ/XOzsPJ2VBGkgyXWZkyPe/
 nJYsuMuMp117HUwTqPqs3oZuTN0MRTy6xgaDfbFbcX9UC/amLmGIWOhlme8iV15r
 HQAW0X7F2Un5h7eQwogWTDb9gBHKnJ4ApaSJLfZl9E72i0Sv7o9UFcLIdy2DRVSq
 gxlRBVzVU6ZndCQ4vQXFSjQ20VGNXc2vpKVRE1D6YXxmxVNbBQB4
 =lb6H
 -----END PGP SIGNATURE-----

Merge tag 'v1.39.0rc3' into develop

Synapse 1.39.0rc3 (2021-07-28)
==============================

Bugfixes
--------

- Fix a bug introduced in Synapse 1.38 which caused an exception at startup when SAML authentication was enabled. ([\#10477](https://github.com/matrix-org/synapse/issues/10477))
- Fix a long-standing bug where Synapse would not inform clients that a device had exhausted its one-time-key pool, potentially causing problems decrypting events. ([\#10485](https://github.com/matrix-org/synapse/issues/10485))
- Fix reporting old R30 stats as R30v2 stats. Introduced in v1.39.0rc1. ([\#10486](https://github.com/matrix-org/synapse/issues/10486))

Internal Changes
----------------

- Fix an error which prevented the Github Actions workflow to build the docker images from running. ([\#10461](https://github.com/matrix-org/synapse/issues/10461))
- Fix release script to correctly version debian changelog when doing RCs. ([\#10465](https://github.com/matrix-org/synapse/issues/10465))
2021-07-28 15:53:53 +01:00
Erik Johnston 5146e19880 1.39.0rc3 2021-07-28 13:31:18 +01:00
Erik Johnston 6e2275649c Synapse 1.38.1 (2021-07-22)
===========================
 
 Bugfixes
 --------
 
 - Always include `device_one_time_keys_count` key in `/sync` response to work around a bug in Element Android that broke encryption for new devices. ([\#10457](https://github.com/matrix-org/synapse/issues/10457))
 -----BEGIN PGP SIGNATURE-----
 
 iQFEBAABCgAuFiEEBTGR3/RnAzBGUif3pULk7RsPrAkFAmD5g1QQHGVyaWtAbWF0
 cml4Lm9yZwAKCRClQuTtGw+sCZ9CB/9ha7LLrLRyU8hfxOi9uXDvnogFTTpkdxs9
 iqIlB9bzy7u7B2Cl/y9eEK1uRBEDYuwH43515wVoPrfixECt3JROkv8D0T7nzcia
 m3oiiA4XW1wWV1YmK89nbSQpb8X8DdnaXWJlkqZZYKEKlLlNCZDu+rWLXSLhIHNJ
 ERsc8SmlxCDzF1fuzbPrwTc8MD8WVJU6spuYVHJ2p7NsW9Zqjybs0ZORXq06Ih5I
 eeZ67Tc6BiDubV+DvRK451t84DazHG6AXyz2As4kSvzkca6GmN8KwcMrFXderhDj
 F5mHGAMDUjB/mUCHveB2WdL5OjyvUlTY5FrFwfMu1wrNmp2/93Tg
 =MTCR
 -----END PGP SIGNATURE-----

Merge tag 'v1.38.1' into release-v1.39

Synapse 1.38.1 (2021-07-22)
===========================

Bugfixes
--------

- Always include `device_one_time_keys_count` key in `/sync` response to work around a bug in Element Android that broke encryption for new devices. ([\#10457](https://github.com/matrix-org/synapse/issues/10457))
2021-07-23 09:07:42 +01:00
Erik Johnston 683deee9a4 Merge branch 'master' into develop 2021-07-23 09:03:19 +01:00
Erik Johnston 283bb5c94e 1.38.1 2021-07-22 15:37:10 +01:00
Richard van der Hoff 8ae0bdca75
Drop xenial-support hacks (#10429) 2021-07-21 21:25:28 +01:00
Andrew Morgan e009d2e90a 1.39.0rc1 2021-07-20 14:28:49 +01:00
Richard van der Hoff 08a8297c0d fix debian changelog 2021-07-13 13:22:12 +01:00
Richard van der Hoff c647c2a9ac 1.38.0 2021-07-13 13:19:06 +01:00
Richard van der Hoff f7bfa694ae 1.38.0rc3 2021-07-13 11:57:55 +01:00
Erik Johnston 6655ea5587
Add script for getting info about recently registered users (#10290) 2021-07-06 13:03:16 +01:00
Erik Johnston f193034d59 1.37.1 2021-06-30 12:24:13 +01:00
Brendan Abolivier cdf569e468 1.37.0 2021-06-29 10:15:34 +01:00
Erik Johnston 1c8045f674 1.36.0 2021-06-15 15:42:02 +01:00
Patrick Cloke 57c01dca29 1.35.1 2021-06-03 08:18:22 -04:00
Andrew Morgan a8372ad591 1.35.0 2021-06-01 13:23:55 +01:00
Erik Johnston afb6dcf806 1.34.0 2021-05-17 11:34:39 +01:00
Brendan Abolivier 86fb71431c
1.33.2 2021-05-11 14:01:32 +01:00
Erik Johnston ac88aca7f7 1.33.1 2021-05-06 14:06:38 +01:00
Brendan Abolivier 0644ac0989 1.33.0 2021-05-05 14:15:54 +01:00
Andrew Morgan ca380881b1 Update dates in changelogs 2021-04-21 18:47:31 +01:00
Andrew Morgan 55159c48e3 1.32.2 2021-04-21 18:45:39 +01:00
Andrew Morgan a745531c10 1.32.1 2021-04-21 14:01:12 +01:00
Andrew Morgan e031c7e0cc 1.32.0 2021-04-20 14:31:27 +01:00
Dan Callahan 3efde8b69a
Add option to skip unit tests when building debs (#9793)
Signed-off-by: Dan Callahan <danc@element.io>
2021-04-12 15:27:05 +01:00
Erik Johnston 1d8863c67d 1.31.0 2021-04-06 13:09:56 +01:00
Erik Johnston c6f8e8086c 1.30.1 2021-03-26 12:03:29 +00:00
Erik Johnston e2904f720d 1.30.0 2021-03-22 13:15:55 +00:00
Erik Johnston 15c788e22d 1.29.0 2021-03-08 13:52:13 +00:00
Jonathan de Jong e12077a78a
Allow bytecode again (#9502)
In #75, bytecode was disabled (from a bit of FUD back in `python<2.4` days, according to dev chat), I think it's safe enough to enable it again.

Added in `__pycache__/` and `.pyc`/`.pyd` to `.gitignore`, to extra-insure compiled files don't get committed.

`Signed-off-by: Jonathan de Jong <jonathan@automatia.nl>`
2021-02-26 18:30:54 +00:00
Erik Johnston b5c4fe1971 1.28.0 2021-02-25 10:22:07 +00:00
Erik Johnston a27c1fd74b 1.27.0 2021-02-16 13:12:02 +00:00
Dan Callahan e19396d622
Fix Debian builds on Xenial (#9254)
Adds note about updating dh-virtualenv once we drop support for Xenial.

We can't update now, because it needs debhelper 12, while Xenial only
backports 10.

Signed-off-by: Dan Callahan <danc@element.io>
2021-01-29 14:56:04 +00:00
Patrick Cloke ccb9616f26 Update debian changelog. 2021-01-27 12:45:02 -05:00
Richard van der Hoff 9ffac2bef1
Remote dependency on distutils (#9125)
`distutils` is pretty much deprecated these days, and replaced with
`setuptools`. It's also annoying because it's you can't `pip install` it, and
it's hard to figure out which debian package we should depend on to make sure
it's there.

Since we only use it for a tiny function anyway, let's just vendor said
function into our codebase.
2021-01-15 15:59:20 +00:00
Erik Johnston 3dd6ba135e 1.25.0 2021-01-13 10:19:12 +00:00
Dan Callahan fa6deb298b
Fix failures in Debian packaging (#9079)
Debian package builds were failing for two reasons:

 1. Python versions prior to 3.7 throw exceptions when attempting to print
    Unicode characters under a "C" locale. (#9076)

 2. We depended on `dh-systemd` which no longer exists in Debian Bullseye, but
    is necessary in Ubuntu Xenial. (#9073)

Setting `LANG="C.UTF-8"` in the build environment fixes the first issue.
See also: https://bugs.python.org/issue19846

The second issue is a bit trickier. The dh-systemd package was merged into
debhelper version 9.20160709 and a transitional package left in its wake.

The transitional dh-systemd package was removed in Debian Bullseye.

However, Ubuntu Xenial ships an older debhelper, and still needs dh-systemd.

Thus, builds were failing on Bullseye since we depended on a package which had
ceased existing, but we couldn't remove it from the debian/control file and our
build scripts because we still needed it for Ubuntu Xenial.

We can fix the debian/control issue by listing dh-systemd as an alternative to
the newer versions of debhelper. Since dh-systemd declares that it depends on
debhelper, Ubuntu Xenial will select its older dh-systemd which will in turn
pull in its older debhelper, resulting in no change from the status quo. All
other supported releases will satisfy the debhelper dependency constraint and
skip the dh-systemd alternative.

Build scripts were fixed by unconditionally attempting to install dh-systemd on
all releases and suppressing failures.

Once we drop support for Ubuntu Xenial, we can revert most of this commit and
rely on the version constraint on debhelper in debian/control.

Fixes #9076
Fixes #9073

Signed-off-by: Dan Callahan <danc@element.io>
2021-01-12 14:15:04 +00:00
Erik Johnston 320e8c8064 Synapse 1.23.1 (2020-12-09)
===========================
 
 Due to the two security issues highlighted below, server administrators are
 encouraged to update Synapse. We are not aware of these vulnerabilities being
 exploited in the wild.
 
 Security advisory
 -----------------
 
 The following issues are fixed in v1.23.1 and v1.24.0.
 
 - There is a denial of service attack
   ([CVE-2020-26257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26257))
   against the federation APIs in which future events will not be correctly sent
   to other servers over federation. This affects all servers that participate in
   open federation. (Fixed in [#8776](https://github.com/matrix-org/synapse/pull/8776)).
 
 - Synapse may be affected by OpenSSL
   [CVE-2020-1971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971).
   Synapse administrators should ensure that they have the latest versions of
   the cryptography Python package installed.
 
 To upgrade Synapse along with the cryptography package:
 
 * Administrators using the [`matrix.org` Docker
   image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu
   packages from
   `matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages)
   should ensure that they have version 1.24.0 or 1.23.1 installed: these images include
   the updated packages.
 * Administrators who have [installed Synapse from
   source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source)
   should upgrade the cryptography package within their virtualenv by running:
   ```sh
   <path_to_virtualenv>/bin/pip install 'cryptography>=3.3'
   ```
 * Administrators who have installed Synapse from distribution packages should
   consult the information from their distributions.
 
 Bugfixes
 --------
 
 - Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body. ([\#8776](https://github.com/matrix-org/synapse/issues/8776))
 
 Internal Changes
 ----------------
 
 - Add a maximum version for pysaml2 on Python 3.5. ([\#8898](https://github.com/matrix-org/synapse/issues/8898))
 -----BEGIN PGP SIGNATURE-----
 
 iQFEBAABCgAuFiEEBTGR3/RnAzBGUif3pULk7RsPrAkFAl/QsOYQHGVyaWtAbWF0
 cml4Lm9yZwAKCRClQuTtGw+sCZTkCACEDbyMY/UCqJaUILxtYeBE7K4GvOqPPHyo
 2VLjyitI7XWVzB/paUOPxAtOtiwXS0GOrL+UsW6Lky2HIjafjLe1Z3LHzATQwF2I
 J2bZWTY1Y4v3y8B7noPmp7+QFIBIey++09BY+MwzT3EQYnXt6lvoHmEvPH/htzjg
 LfdZpSj4WrJr4S2/W0rVlkGSuIShN0Tnv6pTgbGRZMt1N4JH2mo65mCGt3xrMS7E
 us+xqStGh5Q+9g3F913iIJ8noUMeCvTT7hbr1eonhZ3MIKWG30z+zcXwmGb0t3B8
 zvTFXqdbZPSw+ZZdxaZwZuJzNCnYOu6t0JuzXqDoE0xsHb8RVUe9
 =Z9US
 -----END PGP SIGNATURE-----

Merge tag 'v1.23.1'

Synapse 1.23.1 (2020-12-09)
===========================

Due to the two security issues highlighted below, server administrators are
encouraged to update Synapse. We are not aware of these vulnerabilities being
exploited in the wild.

Security advisory
-----------------

The following issues are fixed in v1.23.1 and v1.24.0.

- There is a denial of service attack
  ([CVE-2020-26257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26257))
  against the federation APIs in which future events will not be correctly sent
  to other servers over federation. This affects all servers that participate in
  open federation. (Fixed in [#8776](https://github.com/matrix-org/synapse/pull/8776)).

- Synapse may be affected by OpenSSL
  [CVE-2020-1971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971).
  Synapse administrators should ensure that they have the latest versions of
  the cryptography Python package installed.

To upgrade Synapse along with the cryptography package:

* Administrators using the [`matrix.org` Docker
  image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu
  packages from
  `matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages)
  should ensure that they have version 1.24.0 or 1.23.1 installed: these images include
  the updated packages.
* Administrators who have [installed Synapse from
  source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source)
  should upgrade the cryptography package within their virtualenv by running:
  ```sh
  <path_to_virtualenv>/bin/pip install 'cryptography>=3.3'
  ```
* Administrators who have installed Synapse from distribution packages should
  consult the information from their distributions.

Bugfixes
--------

- Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body. ([\#8776](https://github.com/matrix-org/synapse/issues/8776))

Internal Changes
----------------

- Add a maximum version for pysaml2 on Python 3.5. ([\#8898](https://github.com/matrix-org/synapse/issues/8898))
2020-12-09 11:29:56 +00:00
Erik Johnston 1cec3d1457 1.23.1 2020-12-09 11:07:41 +00:00
Erik Johnston 9b26a4ac87 1.24.0 2020-12-09 11:07:24 +00:00