Commit graph

256 commits

Author SHA1 Message Date
Andrew Morgan
ab12c909a2 1.50.1 2022-01-18 16:09:04 +00:00
Andrew Morgan
3ba9389699 1.50.0 2022-01-18 10:41:36 +00:00
Olivier Wilkinson (reivilibre)
867443472c 1.50.0rc2 2022-01-14 11:34:57 +00:00
Olivier Wilkinson (reivilibre)
9be5aacc2d 1.50.0rc1 2022-01-05 12:39:48 +00:00
Richard van der Hoff
aa874a1390 1.49.2 2021-12-21 17:32:16 +00:00
Richard van der Hoff
8c36d332d5 1.49.1 2021-12-21 11:07:41 +00:00
Olivier Wilkinson (reivilibre)
9f3c7e85a4 1.49.0 2021-12-14 12:56:14 +00:00
Sean Quah
966b5d0fa0 1.49.0rc1 2021-12-07 13:56:09 +00:00
Brendan Abolivier
4bdad80de1 1.48.0 2021-11-30 11:24:21 +00:00
Brendan Abolivier
946c102ac9 1.48.0rc1 2021-11-25 15:57:04 +00:00
Sean Quah
97a402302c 1.47.1 2021-11-19 14:08:59 +00:00
David Robertson
9f9d82aa84
1.47.0 2021-11-17 13:10:12 +00:00
Andrew Morgan
edcdc5fd82 1.47.0rc3 2021-11-16 14:34:46 +00:00
Olivier Wilkinson (reivilibre)
ef7f9286d1 Move Debian changelog entries to rc2 since rc1 was not published 2021-11-10 09:48:50 +00:00
Olivier Wilkinson (reivilibre)
82e62b488a 1.47.0rc2 2021-11-10 09:44:38 +00:00
Olivier Wilkinson (reivilibre)
af6374905a Correct the Debian changelog 2021-11-10 09:37:48 +00:00
Olivier Wilkinson (reivilibre)
01f61da77f 1.47.0rc1 2021-11-09 12:17:35 +00:00
Dan Callahan
556a488209
Address review feedback from #11269 (#11273)
Signed-off-by: Dan Callahan <danc@element.io>
2021-11-08 11:57:37 +00:00
Dan Callahan
9799c569bb
Minor cleanup to Debian packaging (#11269)
* Remove unused Vagrant scripts

* Change package Architecture to any

* Preinstall the wheel package when building venvs.

Addresses the following warnings during Debian builds:

    Using legacy 'setup.py install' for jaeger-client, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for matrix-synapse-ldap3, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for opentracing, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for psycopg2, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for systemd-python, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for pympler, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for threadloop, since package 'wheel' is not installed.
    Using legacy 'setup.py install' for thrift, since package 'wheel' is not installed.

* Allow /etc/default/matrix-synapse to be missing

Per the systemd.exec manpage, prefixing an EnvironmentFile with "-":

> indicates that if the file does not exist, it will not be read and no
> error or warning message is logged.

Signed-off-by: Dan Callahan <danc@element.io>
2021-11-07 21:18:33 +00:00
Erik Johnston
237f7eb87a Merge remote-tracking branch 'origin/master' into develop 2021-11-02 14:28:27 +00:00
Erik Johnston
df84ad602b 1.46.0 2021-11-02 13:23:01 +00:00
Dan Callahan
0dffa9d0e0
Merge remote-tracking branch 'origin/develop' into shellcheck
Fixes a merge conflict with debian/changelog

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-27 20:04:00 +01:00
Richard van der Hoff
576921c66a
Force deb compression with xz. (#11197)
Fixes a problem where `impish` packages could not be processed by `reprepro`.
2021-10-27 17:06:32 +01:00
Sean Quah
cc75a6b1b2 1.46.0rc1 2021-10-26 14:04:51 +01:00
Dan Callahan
1afc6ecae1
Changelog
Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:21:40 +01:00
Dan Callahan
d7141e0b8b
Fix Shellcheck SC2006: Use $(...) notation
Use $(...) notation instead of legacy backticked `...`.

https://github.com/koalaman/shellcheck/wiki/SC2006

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:55 +01:00
Dan Callahan
13f084eb58
Fix Shellcheck SC2086: Quote to prevent splitting
Double quote to prevent globbing and word splitting.

https://github.com/koalaman/shellcheck/wiki/SC2086

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:54 +01:00
Dan Callahan
31096132c3
Fix Shellcheck SC2012: Use find instead of ls
Use find instead of ls to better handle non-alphanumeric filenames.

https://github.com/koalaman/shellcheck/wiki/SC2012

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:54 +01:00
Dan Callahan
9d0f9d51d5
Fix Shellcheck SC2016: Single quotes don't expand
Expressions don't expand in single quotes, use double quotes for that.

https://github.com/koalaman/shellcheck/wiki/SC2016

This specifically warned about the '$aregis...' part of the sed script.
Which is a relatively obscure use of sed.

Splitting this into two commands makes its intent more obvious and
avoids contravening Shellcheck's lints.

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:54 +01:00
Dan Callahan
bab2bc844c
Fix Shellcheck SC1091: Can't follow file
Not following: (error message here)

https://github.com/koalaman/shellcheck/wiki/SC1091

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:54 +01:00
Dan Callahan
898e3be4c9
Fix Shellcheck SC2064: Use single quotes on traps
Use single quotes, otherwise this expands now rather than when signalled.

https://github.com/koalaman/shellcheck/wiki/SC2064

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:54 +01:00
Dan Callahan
64adbb7b54
Fix Shellcheck SC2046: Quote to prevent word split
Quote this to prevent word splitting

https://www.shellcheck.net/wiki/SC2046

Signed-off-by: Dan Callahan <danc@element.io>
2021-10-22 23:08:53 +01:00
Sean Quah
522489fbcd 1.45.1 2021-10-20 12:00:03 +01:00
David Robertson
8b1185347a
1.45.0 2021-10-19 11:19:55 +01:00
David Robertson
99a4e5222d
1.45.0rc2 2021-10-14 10:59:27 +01:00
Brendan Abolivier
8c5255b664 1.45.0rc1 2021-10-12 10:47:15 +01:00
Nick Barrett
c80878d22a
Add --run-background-updates option to update_database script. (#10954)
Signed-off-by: Nick Barrett <nick@beeper.com>
2021-10-06 11:26:18 +01:00
Brendan Abolivier
b2c5e79291 1.44.0 2021-10-05 13:45:24 +01:00
Brendan Abolivier
2d2c6a41fe 1.44.0rc3 2021-10-04 14:57:40 +01:00
Olivier Wilkinson (reivilibre)
3412f5c8d8 1.44.0rc2 2021-09-30 12:40:24 +01:00
Erik Johnston
3c50192d3f 1.44.0rc1 2021-09-28 13:42:21 +01:00
David Robertson
c4ef61136f 1.43.0 2021-09-21 11:49:15 +01:00
David Robertson
daac1e645c 1.43.0rc2 2021-09-17 10:43:51 +01:00
Andrew Morgan
d725e0956f 1.43.0rc1 2021-09-14 11:47:11 +01:00
Azrenbeth
6631321687 1.42.0 2021-09-07 16:20:03 +01:00
Brendan Abolivier
e9958d908d 1.42.0rc2 2021-09-06 15:25:23 +01:00
Olivier Wilkinson (reivilibre)
6b2aca473a 1.42.0rc1 2021-09-01 11:47:24 +01:00
Richard van der Hoff
a4c8a2f08b 1.41.1 2021-08-31 13:43:28 +01:00
Erik Johnston
6f77a3d433 1.41.0 2021-08-24 15:31:55 +01:00
Erik Johnston
49cb7eae97 1.41.0rc1 2021-08-18 15:52:11 +01:00
Brendan Abolivier
b5de77cf86 Merge branch 'master' into develop 2021-08-10 14:23:57 +01:00
Brendan Abolivier
9f7c038272 1.40.0 2021-08-10 13:50:58 +01:00
Brendan Abolivier
f8e86b7d2e
Merge branch 'release-v1.40' into develop 2021-08-09 14:44:28 +01:00
Brendan Abolivier
ad35b7739e 1.40.0rc3 2021-08-09 13:41:29 +01:00
Erik Johnston
a36d77c563 Merge tag 'v1.40.0rc2' into develop
Synapse 1.40.0rc2 (2021-08-04)
==============================

Bugfixes
--------

- Fix the `PeriodicallyFlushingMemoryHandler` inhibiting application shutdown because of its background thread. ([\#10517](https://github.com/matrix-org/synapse/issues/10517))
- Fix a bug introduced in Synapse v1.40.0rc1 that could cause Synapse to respond with an error when clients would update read receipts. ([\#10531](https://github.com/matrix-org/synapse/issues/10531))

Internal Changes
----------------

- Fix release script to open the correct URL for the release. ([\#10516](https://github.com/matrix-org/synapse/issues/10516))
2021-08-05 11:15:29 +01:00
Brendan Abolivier
02c2f631ae 1.40.0rc2 2021-08-04 17:09:27 +01:00
Richard van der Hoff
951648f26a
Fix debian package triggers (#10481)
Replace the outdated list of dpkg triggers with an autogenerated one.
2021-08-03 14:45:21 +01:00
Erik Johnston
c8566191fc 1.40.0rc1 2021-08-03 11:32:10 +01:00
Erik Johnston
65f520697d Merge remote-tracking branch 'origin/master' into develop 2021-07-29 16:29:17 +01:00
Erik Johnston
5522a103a9 1.39.0 2021-07-29 09:59:07 +01:00
Erik Johnston
8c201c97ec Synapse 1.39.0rc3 (2021-07-28)
==============================
 
 Bugfixes
 --------
 
 - Fix a bug introduced in Synapse 1.38 which caused an exception at startup when SAML authentication was enabled. ([\#10477](https://github.com/matrix-org/synapse/issues/10477))
 - Fix a long-standing bug where Synapse would not inform clients that a device had exhausted its one-time-key pool, potentially causing problems decrypting events. ([\#10485](https://github.com/matrix-org/synapse/issues/10485))
 - Fix reporting old R30 stats as R30v2 stats. Introduced in v1.39.0rc1. ([\#10486](https://github.com/matrix-org/synapse/issues/10486))
 
 Internal Changes
 ----------------
 
 - Fix an error which prevented the Github Actions workflow to build the docker images from running. ([\#10461](https://github.com/matrix-org/synapse/issues/10461))
 - Fix release script to correctly version debian changelog when doing RCs. ([\#10465](https://github.com/matrix-org/synapse/issues/10465))
 -----BEGIN PGP SIGNATURE-----
 
 iQFEBAABCgAuFiEEBTGR3/RnAzBGUif3pULk7RsPrAkFAmEBUJUQHGVyaWtAbWF0
 cml4Lm9yZwAKCRClQuTtGw+sCWi6CACfA3B7rXfQIO893mctSZkNhtAG/e4o310M
 etvjAtovKmKeFqBvm89FPmFoXvGA2ypoz7Jz2fdkP56DNKIXvihnDc8EeQ3gGawf
 hQ8GBjICOL1e7R/4qzuOCWYdppBGoGNAbz7qyxAUxZ/XOzsPJ2VBGkgyXWZkyPe/
 nJYsuMuMp117HUwTqPqs3oZuTN0MRTy6xgaDfbFbcX9UC/amLmGIWOhlme8iV15r
 HQAW0X7F2Un5h7eQwogWTDb9gBHKnJ4ApaSJLfZl9E72i0Sv7o9UFcLIdy2DRVSq
 gxlRBVzVU6ZndCQ4vQXFSjQ20VGNXc2vpKVRE1D6YXxmxVNbBQB4
 =lb6H
 -----END PGP SIGNATURE-----

Merge tag 'v1.39.0rc3' into develop

Synapse 1.39.0rc3 (2021-07-28)
==============================

Bugfixes
--------

- Fix a bug introduced in Synapse 1.38 which caused an exception at startup when SAML authentication was enabled. ([\#10477](https://github.com/matrix-org/synapse/issues/10477))
- Fix a long-standing bug where Synapse would not inform clients that a device had exhausted its one-time-key pool, potentially causing problems decrypting events. ([\#10485](https://github.com/matrix-org/synapse/issues/10485))
- Fix reporting old R30 stats as R30v2 stats. Introduced in v1.39.0rc1. ([\#10486](https://github.com/matrix-org/synapse/issues/10486))

Internal Changes
----------------

- Fix an error which prevented the Github Actions workflow to build the docker images from running. ([\#10461](https://github.com/matrix-org/synapse/issues/10461))
- Fix release script to correctly version debian changelog when doing RCs. ([\#10465](https://github.com/matrix-org/synapse/issues/10465))
2021-07-28 15:53:53 +01:00
Erik Johnston
5146e19880 1.39.0rc3 2021-07-28 13:31:18 +01:00
Erik Johnston
6e2275649c Synapse 1.38.1 (2021-07-22)
===========================
 
 Bugfixes
 --------
 
 - Always include `device_one_time_keys_count` key in `/sync` response to work around a bug in Element Android that broke encryption for new devices. ([\#10457](https://github.com/matrix-org/synapse/issues/10457))
 -----BEGIN PGP SIGNATURE-----
 
 iQFEBAABCgAuFiEEBTGR3/RnAzBGUif3pULk7RsPrAkFAmD5g1QQHGVyaWtAbWF0
 cml4Lm9yZwAKCRClQuTtGw+sCZ9CB/9ha7LLrLRyU8hfxOi9uXDvnogFTTpkdxs9
 iqIlB9bzy7u7B2Cl/y9eEK1uRBEDYuwH43515wVoPrfixECt3JROkv8D0T7nzcia
 m3oiiA4XW1wWV1YmK89nbSQpb8X8DdnaXWJlkqZZYKEKlLlNCZDu+rWLXSLhIHNJ
 ERsc8SmlxCDzF1fuzbPrwTc8MD8WVJU6spuYVHJ2p7NsW9Zqjybs0ZORXq06Ih5I
 eeZ67Tc6BiDubV+DvRK451t84DazHG6AXyz2As4kSvzkca6GmN8KwcMrFXderhDj
 F5mHGAMDUjB/mUCHveB2WdL5OjyvUlTY5FrFwfMu1wrNmp2/93Tg
 =MTCR
 -----END PGP SIGNATURE-----

Merge tag 'v1.38.1' into release-v1.39

Synapse 1.38.1 (2021-07-22)
===========================

Bugfixes
--------

- Always include `device_one_time_keys_count` key in `/sync` response to work around a bug in Element Android that broke encryption for new devices. ([\#10457](https://github.com/matrix-org/synapse/issues/10457))
2021-07-23 09:07:42 +01:00
Erik Johnston
683deee9a4 Merge branch 'master' into develop 2021-07-23 09:03:19 +01:00
Erik Johnston
283bb5c94e 1.38.1 2021-07-22 15:37:10 +01:00
Richard van der Hoff
8ae0bdca75
Drop xenial-support hacks (#10429) 2021-07-21 21:25:28 +01:00
Andrew Morgan
e009d2e90a 1.39.0rc1 2021-07-20 14:28:49 +01:00
Richard van der Hoff
08a8297c0d fix debian changelog 2021-07-13 13:22:12 +01:00
Richard van der Hoff
c647c2a9ac 1.38.0 2021-07-13 13:19:06 +01:00
Richard van der Hoff
f7bfa694ae 1.38.0rc3 2021-07-13 11:57:55 +01:00
Erik Johnston
6655ea5587
Add script for getting info about recently registered users (#10290) 2021-07-06 13:03:16 +01:00
Erik Johnston
f193034d59 1.37.1 2021-06-30 12:24:13 +01:00
Brendan Abolivier
cdf569e468 1.37.0 2021-06-29 10:15:34 +01:00
Erik Johnston
1c8045f674 1.36.0 2021-06-15 15:42:02 +01:00
Patrick Cloke
57c01dca29 1.35.1 2021-06-03 08:18:22 -04:00
Andrew Morgan
a8372ad591 1.35.0 2021-06-01 13:23:55 +01:00
Erik Johnston
afb6dcf806 1.34.0 2021-05-17 11:34:39 +01:00
Brendan Abolivier
86fb71431c
1.33.2 2021-05-11 14:01:32 +01:00
Erik Johnston
ac88aca7f7 1.33.1 2021-05-06 14:06:38 +01:00
Brendan Abolivier
0644ac0989 1.33.0 2021-05-05 14:15:54 +01:00
Andrew Morgan
ca380881b1 Update dates in changelogs 2021-04-21 18:47:31 +01:00
Andrew Morgan
55159c48e3 1.32.2 2021-04-21 18:45:39 +01:00
Andrew Morgan
a745531c10 1.32.1 2021-04-21 14:01:12 +01:00
Andrew Morgan
e031c7e0cc 1.32.0 2021-04-20 14:31:27 +01:00
Dan Callahan
3efde8b69a
Add option to skip unit tests when building debs (#9793)
Signed-off-by: Dan Callahan <danc@element.io>
2021-04-12 15:27:05 +01:00
Erik Johnston
1d8863c67d 1.31.0 2021-04-06 13:09:56 +01:00
Erik Johnston
c6f8e8086c 1.30.1 2021-03-26 12:03:29 +00:00
Erik Johnston
e2904f720d 1.30.0 2021-03-22 13:15:55 +00:00
Erik Johnston
15c788e22d 1.29.0 2021-03-08 13:52:13 +00:00
Jonathan de Jong
e12077a78a
Allow bytecode again (#9502)
In #75, bytecode was disabled (from a bit of FUD back in `python<2.4` days, according to dev chat), I think it's safe enough to enable it again.

Added in `__pycache__/` and `.pyc`/`.pyd` to `.gitignore`, to extra-insure compiled files don't get committed.

`Signed-off-by: Jonathan de Jong <jonathan@automatia.nl>`
2021-02-26 18:30:54 +00:00
Erik Johnston
b5c4fe1971 1.28.0 2021-02-25 10:22:07 +00:00
Erik Johnston
a27c1fd74b 1.27.0 2021-02-16 13:12:02 +00:00
Dan Callahan
e19396d622
Fix Debian builds on Xenial (#9254)
Adds note about updating dh-virtualenv once we drop support for Xenial.

We can't update now, because it needs debhelper 12, while Xenial only
backports 10.

Signed-off-by: Dan Callahan <danc@element.io>
2021-01-29 14:56:04 +00:00
Patrick Cloke
ccb9616f26 Update debian changelog. 2021-01-27 12:45:02 -05:00
Richard van der Hoff
9ffac2bef1
Remote dependency on distutils (#9125)
`distutils` is pretty much deprecated these days, and replaced with
`setuptools`. It's also annoying because it's you can't `pip install` it, and
it's hard to figure out which debian package we should depend on to make sure
it's there.

Since we only use it for a tiny function anyway, let's just vendor said
function into our codebase.
2021-01-15 15:59:20 +00:00
Erik Johnston
3dd6ba135e 1.25.0 2021-01-13 10:19:12 +00:00
Dan Callahan
fa6deb298b
Fix failures in Debian packaging (#9079)
Debian package builds were failing for two reasons:

 1. Python versions prior to 3.7 throw exceptions when attempting to print
    Unicode characters under a "C" locale. (#9076)

 2. We depended on `dh-systemd` which no longer exists in Debian Bullseye, but
    is necessary in Ubuntu Xenial. (#9073)

Setting `LANG="C.UTF-8"` in the build environment fixes the first issue.
See also: https://bugs.python.org/issue19846

The second issue is a bit trickier. The dh-systemd package was merged into
debhelper version 9.20160709 and a transitional package left in its wake.

The transitional dh-systemd package was removed in Debian Bullseye.

However, Ubuntu Xenial ships an older debhelper, and still needs dh-systemd.

Thus, builds were failing on Bullseye since we depended on a package which had
ceased existing, but we couldn't remove it from the debian/control file and our
build scripts because we still needed it for Ubuntu Xenial.

We can fix the debian/control issue by listing dh-systemd as an alternative to
the newer versions of debhelper. Since dh-systemd declares that it depends on
debhelper, Ubuntu Xenial will select its older dh-systemd which will in turn
pull in its older debhelper, resulting in no change from the status quo. All
other supported releases will satisfy the debhelper dependency constraint and
skip the dh-systemd alternative.

Build scripts were fixed by unconditionally attempting to install dh-systemd on
all releases and suppressing failures.

Once we drop support for Ubuntu Xenial, we can revert most of this commit and
rely on the version constraint on debhelper in debian/control.

Fixes #9076
Fixes #9073

Signed-off-by: Dan Callahan <danc@element.io>
2021-01-12 14:15:04 +00:00
Erik Johnston
320e8c8064 Synapse 1.23.1 (2020-12-09)
===========================
 
 Due to the two security issues highlighted below, server administrators are
 encouraged to update Synapse. We are not aware of these vulnerabilities being
 exploited in the wild.
 
 Security advisory
 -----------------
 
 The following issues are fixed in v1.23.1 and v1.24.0.
 
 - There is a denial of service attack
   ([CVE-2020-26257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26257))
   against the federation APIs in which future events will not be correctly sent
   to other servers over federation. This affects all servers that participate in
   open federation. (Fixed in [#8776](https://github.com/matrix-org/synapse/pull/8776)).
 
 - Synapse may be affected by OpenSSL
   [CVE-2020-1971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971).
   Synapse administrators should ensure that they have the latest versions of
   the cryptography Python package installed.
 
 To upgrade Synapse along with the cryptography package:
 
 * Administrators using the [`matrix.org` Docker
   image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu
   packages from
   `matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages)
   should ensure that they have version 1.24.0 or 1.23.1 installed: these images include
   the updated packages.
 * Administrators who have [installed Synapse from
   source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source)
   should upgrade the cryptography package within their virtualenv by running:
   ```sh
   <path_to_virtualenv>/bin/pip install 'cryptography>=3.3'
   ```
 * Administrators who have installed Synapse from distribution packages should
   consult the information from their distributions.
 
 Bugfixes
 --------
 
 - Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body. ([\#8776](https://github.com/matrix-org/synapse/issues/8776))
 
 Internal Changes
 ----------------
 
 - Add a maximum version for pysaml2 on Python 3.5. ([\#8898](https://github.com/matrix-org/synapse/issues/8898))
 -----BEGIN PGP SIGNATURE-----
 
 iQFEBAABCgAuFiEEBTGR3/RnAzBGUif3pULk7RsPrAkFAl/QsOYQHGVyaWtAbWF0
 cml4Lm9yZwAKCRClQuTtGw+sCZTkCACEDbyMY/UCqJaUILxtYeBE7K4GvOqPPHyo
 2VLjyitI7XWVzB/paUOPxAtOtiwXS0GOrL+UsW6Lky2HIjafjLe1Z3LHzATQwF2I
 J2bZWTY1Y4v3y8B7noPmp7+QFIBIey++09BY+MwzT3EQYnXt6lvoHmEvPH/htzjg
 LfdZpSj4WrJr4S2/W0rVlkGSuIShN0Tnv6pTgbGRZMt1N4JH2mo65mCGt3xrMS7E
 us+xqStGh5Q+9g3F913iIJ8noUMeCvTT7hbr1eonhZ3MIKWG30z+zcXwmGb0t3B8
 zvTFXqdbZPSw+ZZdxaZwZuJzNCnYOu6t0JuzXqDoE0xsHb8RVUe9
 =Z9US
 -----END PGP SIGNATURE-----

Merge tag 'v1.23.1'

Synapse 1.23.1 (2020-12-09)
===========================

Due to the two security issues highlighted below, server administrators are
encouraged to update Synapse. We are not aware of these vulnerabilities being
exploited in the wild.

Security advisory
-----------------

The following issues are fixed in v1.23.1 and v1.24.0.

- There is a denial of service attack
  ([CVE-2020-26257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26257))
  against the federation APIs in which future events will not be correctly sent
  to other servers over federation. This affects all servers that participate in
  open federation. (Fixed in [#8776](https://github.com/matrix-org/synapse/pull/8776)).

- Synapse may be affected by OpenSSL
  [CVE-2020-1971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971).
  Synapse administrators should ensure that they have the latest versions of
  the cryptography Python package installed.

To upgrade Synapse along with the cryptography package:

* Administrators using the [`matrix.org` Docker
  image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu
  packages from
  `matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages)
  should ensure that they have version 1.24.0 or 1.23.1 installed: these images include
  the updated packages.
* Administrators who have [installed Synapse from
  source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source)
  should upgrade the cryptography package within their virtualenv by running:
  ```sh
  <path_to_virtualenv>/bin/pip install 'cryptography>=3.3'
  ```
* Administrators who have installed Synapse from distribution packages should
  consult the information from their distributions.

Bugfixes
--------

- Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body. ([\#8776](https://github.com/matrix-org/synapse/issues/8776))

Internal Changes
----------------

- Add a maximum version for pysaml2 on Python 3.5. ([\#8898](https://github.com/matrix-org/synapse/issues/8898))
2020-12-09 11:29:56 +00:00
Erik Johnston
1cec3d1457 1.23.1 2020-12-09 11:07:41 +00:00
Erik Johnston
9b26a4ac87 1.24.0 2020-12-09 11:07:24 +00:00