|
@@ -1,3 +1,49 @@
|
|
|
+Synapse 1.24.0 (2020-12-09)
|
|
|
+===========================
|
|
|
+
|
|
|
+Due to the two security issues highlighted below, server administrators are
|
|
|
+encouraged to update Synapse. We are not aware of these vulnerabilities being
|
|
|
+exploited in the wild.
|
|
|
+
|
|
|
+Security advisory
|
|
|
+-----------------
|
|
|
+
|
|
|
+The following issues are fixed in v1.23.1 and v1.24.0.
|
|
|
+
|
|
|
+- There is a denial of service attack
|
|
|
+ ([CVE-2020-26257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26257))
|
|
|
+ against the federation APIs in which future events will not be correctly sent
|
|
|
+ to other servers over federation. This affects all servers that participate in
|
|
|
+ open federation. (Fixed in [#8776](https://github.com/matrix-org/synapse/pull/8776)).
|
|
|
+
|
|
|
+- Synapse may be affected by OpenSSL
|
|
|
+ [CVE-2020-1971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971).
|
|
|
+ Synapse administrators should ensure that they have the latest versions of
|
|
|
+ the cryptography Python package installed.
|
|
|
+
|
|
|
+To upgrade Synapse along with the cryptography package:
|
|
|
+
|
|
|
+* Administrators using the [`matrix.org` Docker
|
|
|
+ image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu
|
|
|
+ packages from
|
|
|
+ `matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages)
|
|
|
+ should ensure that they have version 1.24.0 or 1.23.1 installed: these images include
|
|
|
+ the updated packages.
|
|
|
+* Administrators who have [installed Synapse from
|
|
|
+ source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source)
|
|
|
+ should upgrade the cryptography package within their virtualenv by running:
|
|
|
+ ```sh
|
|
|
+ <path_to_virtualenv>/bin/pip install 'cryptography>=3.3'
|
|
|
+ ```
|
|
|
+* Administrators who have installed Synapse from distribution packages should
|
|
|
+ consult the information from their distributions.
|
|
|
+
|
|
|
+Internal Changes
|
|
|
+----------------
|
|
|
+
|
|
|
+- Add a maximum version for pysaml2 on Python 3.5. ([\#8898](https://github.com/matrix-org/synapse/issues/8898))
|
|
|
+
|
|
|
+
|
|
|
Synapse 1.24.0rc2 (2020-12-04)
|
|
|
==============================
|
|
|
|