kaslo/synapse
1
0
Fork 0
Code Packages Releases 124 Wiki Activity

1.138.3

Browse Source
This commit is contained in:
Andrew Morgan
2025-10-07 12:54:43 +01:00
parent 7069636c2d
commit 527e831b61
5 changed files with 20 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGES.md
View File

@@ -1,3 +1,16 @@
# Synapse 1.138.3 (2025-10-07)
## Security Fixes
- Fix [CVE-2025-61672](https://www.cve.org/CVERecord?id=CVE-2025-61672) / [GHSA-fh66-fcv5-jjfr](https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr). Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. ([\#17097](https://github.com/element-hq/synapse/issues/17097))
## Deprecations and Removals
- Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. ([\#18996](https://github.com/element-hq/synapse/issues/18996))
# Synapse 1.138.2 (2025-09-24)
## Internal Changes