Merge branch 'release-v1.139'

2025-10-07 13:55:48 +01:00
parent 765817a1ad 76b012c3f5
commit 459ebe07fc
8 changed files with 299 additions and 38 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,15 @@
+# Synapse 1.139.1 (2025-10-07)
+
+## Security Fixes
+
+- Fix [CVE-2025-61672](https://www.cve.org/CVERecord?id=CVE-2025-61672) / [GHSA-fh66-fcv5-jjfr](https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr). Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. ([\#17097](https://github.com/element-hq/synapse/issues/17097))
+
+## Deprecations and Removals
+
+- Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. ([\#18996](https://github.com/element-hq/synapse/issues/18996))
+
+
+
 # Synapse 1.139.0 (2025-09-30)

 ### `/register` requests from old application service implementations may break when using MAS