kaslo/synapse
1
0
Fork 0
Code Wiki Activity

Merge commit '9b8a53c7b' into anoa/dinsic_release_1_21_x

Browse Source 
* commit '9b8a53c7b':
  Additional tweaks.
  Clarify authlib changes.
  Fix typo.
  Add additional release notes.
This commit is contained in:
Andrew Morgan
2020-10-21 15:13:07 +01:00
parent cd50eba74b 9b8a53c7b9
commit 91ce65f05d
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
CHANGES.md
View File

@@ -1,10 +1,25 @@
Synapse 1.21.2 (2020-10-15)
===========================
Debian packages and Docker images have been rebuilt using the latest versions of dependency libraries, including authlib 0.15.1. Please see bugfixes below.
Security advisory
-----------------
* HTML pages served via Synapse were vulnerable to cross-site scripting (XSS)
attacks. All server administrators are encouraged to upgrade.
([\#8444](https://github.com/matrix-org/synapse/pull/8444))
([CVE-2020-26891](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26891))
This fix was originally included in v1.21.0 but was missing a security advisory.
This was reported by [Denis Kasak](https://github.com/dkasak).
Bugfixes
--------
- Fix rare bug where sending an event would fail due to a racey assertion. ([\#8530](https://github.com/matrix-org/synapse/issues/8530))
- An updated version of the authlib dependency is included in the Docker and Debian images to fix an issue using OpenID Connect. See [\#8534](https://github.com/matrix-org/synapse/issues/8534) for details.
Synapse 1.21.1 (2020-10-13)