OpenCloud
/
MatrixSynapse
mirror of https://github.com/matrix-org/synapse
1
0
Fork 0
Code Issues Releases Wiki Activity
MatrixSynapse/synapse/federation
History
Amber Brown 4a5fb548b6 Synapse 1.2.1 (2019-07-26) 
==========================
 
 Security update
 ---------------
 
 This release includes *four* security fixes:
 
 - Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms. ([\#5767](https://github.com/matrix-org/synapse/issues/5767))
 - Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely. Thanks to `@lrizika:matrix.org` for identifying and responsibly disclosing this issue. ([0f2ecb961](https://github.com/matrix-org/synapse/commit/0f2ecb961))
 - Prevent an attack where users could be joined or parted from public rooms without their consent. Thanks to @Dylanger for identifying and responsibly disclosing this issue. ([\#5744](https://github.com/matrix-org/synapse/issues/5744))
 - Fix a vulnerability where a federated server could spoof read-receipts from
   users on other servers. Thanks to @Dylanger for identifying this issue too. ([\#5743](https://github.com/matrix-org/synapse/issues/5743))
 
 Additionally, the following fix was in Synapse **1.2.0**, but was not correctly
 identified during the original release:
 
 - It was possible for a room moderator to send a redaction for an `m.room.create` event, which would downgrade the room to version 1. Thanks to `/dev/ponies` for identifying and responsibly disclosing this issue! ([\#5701](https://github.com/matrix-org/synapse/issues/5701))
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEv27Axt/F4vrTL/8QOSor00I9eP8FAl063MwACgkQOSor00I9
 eP//tQgAhktuhIWwt2w/kvlBm1kCWMC0crl4i0zxdBwcWU71su++e3xarBEOsi3j
 Sz71tigzK/16n2wAXzEMTtr67WH8SC1f/JM78TUO65WdV0On9Il0ezIVB1I+OgG8
 yzgPx05wwFm51MoTpKJNCFKrFHsrBWvwASRbwc3sv900KpJUVVUmZ2cZBQIxry6/
 tIIxGK6OBSZKpBiBfSDozRtK4eIC79rBCHQEnfwd+RVrMLNy2Wn3RxyOYtznkYuZ
 wC+/VRUf6DNyNSwhCRAuIRrasRIbzFcJMjYecNFOABo2j5YqpvkRqX4YxWrfMCus
 wS+b4ou+tAVp8PJBdzuaiGbHPgHFXw==
 =CLSx
 -----END PGP SIGNATURE-----

Merge tag 'v1.2.1' into shhs

Synapse 1.2.1 (2019-07-26)
==========================

Security update
---------------

This release includes *four* security fixes:

- Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms. ([\#5767](https://github.com/matrix-org/synapse/issues/5767))
- Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely. Thanks to `@lrizika:matrix.org` for identifying and responsibly disclosing this issue. ([0f2ecb961](https://github.com/matrix-org/synapse/commit/0f2ecb961))
- Prevent an attack where users could be joined or parted from public rooms without their consent. Thanks to @Dylanger for identifying and responsibly disclosing this issue. ([\#5744](https://github.com/matrix-org/synapse/issues/5744))
- Fix a vulnerability where a federated server could spoof read-receipts from
  users on other servers. Thanks to @Dylanger for identifying this issue too. ([\#5743](https://github.com/matrix-org/synapse/issues/5743))

Additionally, the following fix was in Synapse **1.2.0**, but was not correctly
identified during the original release:

- It was possible for a room moderator to send a redaction for an `m.room.create` event, which would downgrade the room to version 1. Thanks to `/dev/ponies` for identifying and responsibly disclosing this issue! ([\#5701](https://github.com/matrix-org/synapse/issues/5701))
 		2019-07-26 20:59:41 +10:00
..
sender remove dead transaction persist code (#5622) 2019-07-05 12:59:42 +01:00
transport No changes since v1.2.0rc2. 2019-07-26 01:48:50 +10:00
__init__.py Remove unused ReplicationLayer 2018-03-13 11:00:04 +00:00
federation_base.py Move logging utilities out of the side drawer of util/ and into logging/ (#5606) 2019-07-04 00:07:04 +10:00
federation_client.py Merge remote-tracking branch 'origin/develop' into shhs 2019-07-05 23:49:13 +10:00
federation_server.py Log when we receive a /make_* request from a different origin 2019-07-26 10:08:22 +01:00
persistence.py remove dead transaction persist code (#5622) 2019-07-05 12:59:42 +01:00
send_queue.py Run Black. (#5482) 2019-06-20 19:32:02 +10:00
units.py Run Black. (#5482) 2019-06-20 19:32:02 +10:00