From 548c4a6587fe517f3a66756407946335636cd044 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 26 Mar 2021 12:17:37 +0000 Subject: [PATCH] Update cahngelog --- CHANGES.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index f371f756de..2adff4263c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,8 +1,20 @@ Synapse 1.30.1 (2021-03-26) =========================== -This is a security release to ensure that Synapse is running with a -`cryptography` package built against a patched version of OpenSSL. +This release is identical to Synapse 1.30.0, with the exception of explicitly +setting a minimum version of Python's Cryptography library to ensure that users +of Synapse are protected from the recent [OpenSSL security advisories](https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html), +especially CVE-2021-3449. + +Note that Cryptography defaults to bundling its own statically linked copy of +OpenSSL, which means that you may not be protected by your operating system's +security updates. + +It's also worth noting that Cryptography no longer supports Python 3.5, so +admins deploying to older environments may not be protected against this or +future vulnerabilities. + + Updates to the Docker image