|
|
@@ -1,11 +1,20 @@
|
|
|
Changes in [1.0.3](https://github.com/matrix-org/sydent/releases/tag/v1.0.3) (2019-05-03)
|
|
|
=========================================================================================
|
|
|
|
|
|
+ * Use trustRoot instead of verify for request verification
|
|
|
+
|
|
|
Security Fixes
|
|
|
--------------
|
|
|
- * Mitigate an HTML injection bug where an invalid room_id could result in malicious
|
|
|
- HTML being injected into validation emails. Thanks to @opnsec for identifying and
|
|
|
- responsibly disclosing this issue!
|
|
|
+ * Ensures that authentication tokens are generated using a secure random number
|
|
|
+ generator, ensuring they cannot be predicted by an attacker. Thanks to @opnsec
|
|
|
+ for identifying and responsibly disclosing the issue!
|
|
|
+ * Mitigate an HTML injection bug where an invalid room_id could result in
|
|
|
+ malicious HTML being injected into validation emails. Thanks to @opnsec
|
|
|
+ for identifying and responsibly disclosing this issue too!
|
|
|
+ * Randomise session_ids to avoid leaking info about the total number of
|
|
|
+ identity validations, and whether a given ID has been validated.
|
|
|
+ Thanks to @fs0c131y for this one.
|
|
|
+ * Don't send tracebacks to the browser when errors occur.
|
|
|
|
|
|
|
|
|
Changes in [1.0.2](https://github.com/matrix-org/sydent/releases/tag/v1.0.2) (2019-04-18)
|
David Baker