Changes in synapse v0.31.1 (2018-06-08)

=======================================
 
 v0.31.1 fixes a security bug in the ``get_missing_events`` federation API
 where event visibility rules were not applied correctly.
 
 We are not aware of it being actively exploited but please upgrade asap.
 
 Bug Fixes:
 
 * Fix event filtering in get_missing_events handler (PR #3371)
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEETQ1YthIGLQRddG54CTxDAAxPS/QFAlsalP8ACgkQCTxDAAxP
 S/RADw/+NeDu0LjVpS5Uc4ElHgRBuFSm6l2i4z8rZBBlKSYnuq0Em4WMvLloi/JF
 iAvTOYE7OjmF+gNvmsdH1N7hc1lKdQ2gAlpvaQR/5Qz9NtOVmM3WPZxS7n5jZHvD
 hVSxeO9+GQOwK7rJorqrrsnWHQt0OkLHV6WThFdrgZb1JjWCUDTvw+Hei2uMX2aq
 y2mkMG4TLStHwMvL2qw0h+hFtXywXI796qJR73ZxbEn24YD+kOXeEVkIFi2LT0Pj
 cgkg7WWT32JD43/ioumLupZuhCmpRyxn4fi5gIKpXe5kiLsxOdApzNQSwmoJ+WA8
 7zlrWY+0QDN4pbA5ESLitWSWAT50Ul//uM4nwmM4xEBPHdljXvKyHPsaSCeKLvT9
 RT8pc41TQAqSshlXF8zgIAtStnF3oGel3EBBl1mmM9Un1ULnBFwWDZhlIm+ZZGhJ
 MWoAWNG7j8AQuy0BTUAUr76x7t+/cdSqDuyVl1GO1tbDh0DUWoHZGXCUKrAXnn2T
 SbiFigwOLvEADbvkW7L9Je9CVOi2V5Pg/32X9O8YMEiSz+j5PQEiGefyVh/I/QvV
 Ha/atRpZF2OZ+XUOO5DLZMP/XCXpVgvHuskzfU6LvvVQCXgExuJhRD1PrRGeBaWr
 zjJW+rmY+VeredqX7QkTB3XOGLMLGJfx2FeSMb+j0w3a7/iFj+Q=
 =J80S
 -----END PGP SIGNATURE-----

Merge tag 'v0.31.1'

Changes in synapse v0.31.1 (2018-06-08)
=======================================

v0.31.1 fixes a security bug in the ``get_missing_events`` federation API
where event visibility rules were not applied correctly.

We are not aware of it being actively exploited but please upgrade asap.

Bug Fixes:

* Fix event filtering in get_missing_events handler (PR #3371)
pull/3377/head
Neil Johnson 2018-06-08 15:46:18 +01:00
commit 1032393dfb
3 changed files with 20 additions and 5 deletions

View File

@ -1,15 +1,27 @@
Changes in synapse v0.31.1 (2018-06-08)
=======================================
v0.31.1 fixes a security bug in the ``get_missing_events`` federation API
where event visibility rules were not applied correctly.
We are not aware of it being actively exploited but please upgrade asap.
Bug Fixes:
* Fix event filtering in get_missing_events handler (PR #3371)
Changes in synapse v0.31.0 (2018-06-06) Changes in synapse v0.31.0 (2018-06-06)
======================================= =======================================
Most notable change from v0.30.0 is to switch to python prometheus library to improve system Most notable change from v0.30.0 is to switch to the python prometheus library to improve system
stats reporting. WARNING this changes a number of prometheus metrics in a stats reporting. WARNING: this changes a number of prometheus metrics in a
backwards-incompatible manner. For more details, see backwards-incompatible manner. For more details, see
`docs/metrics-howto.rst <docs/metrics-howto.rst#removal-of-deprecated-metrics--time-based-counters-becoming-histograms-in-0310>`_. `docs/metrics-howto.rst <docs/metrics-howto.rst#removal-of-deprecated-metrics--time-based-counters-becoming-histograms-in-0310>`_.
Bug Fixes: Bug Fixes:
* Fix metric documentation tables (PR #3341) * Fix metric documentation tables (PR #3341)
* Fix LaterGuage error handling (694968f) * Fix LaterGauge error handling (694968f)
* Fix replication metrics (b7e7fd2) * Fix replication metrics (b7e7fd2)
Changes in synapse v0.31.0-rc1 (2018-06-04) Changes in synapse v0.31.0-rc1 (2018-06-04)
@ -29,7 +41,6 @@ Changes:
* Remove users from user directory on deactivate (PR #3277) * Remove users from user directory on deactivate (PR #3277)
* Avoid sending consent notice to guest users (PR #3288) * Avoid sending consent notice to guest users (PR #3288)
* disable CPUMetrics if no /proc/self/stat (PR #3299) * disable CPUMetrics if no /proc/self/stat (PR #3299)
* Add local and loopback IPv6 addresses to url_preview_ip_range_blacklist (PR #3312) Thanks to @thegcat!
* Consistently use six's iteritems and wrap lazy keys/values in list() if they're not meant to be lazy (PR #3307) * Consistently use six's iteritems and wrap lazy keys/values in list() if they're not meant to be lazy (PR #3307)
* Add private IPv6 addresses to example config for url preview blacklist (PR #3317) Thanks to @thegcat! * Add private IPv6 addresses to example config for url preview blacklist (PR #3317) Thanks to @thegcat!
* Reduce stuck read-receipts: ignore depth when updating (PR #3318) * Reduce stuck read-receipts: ignore depth when updating (PR #3318)

View File

@ -16,4 +16,4 @@
""" This is a reference implementation of a Matrix home server. """ This is a reference implementation of a Matrix home server.
""" """
__version__ = "0.31.0" __version__ = "0.31.1"

View File

@ -1794,6 +1794,10 @@ class FederationHandler(BaseHandler):
min_depth=min_depth, min_depth=min_depth,
) )
missing_events = yield self._filter_events_for_server(
origin, room_id, missing_events,
)
defer.returnValue(missing_events) defer.returnValue(missing_events)
@defer.inlineCallbacks @defer.inlineCallbacks