kaslo/synapse
1
0
Fork 0
Code Wiki Activity
Files
95f29bce7fe6c99db81a815b0d300304347b0bfd
synapse/tests
History
Brendan Abolivier 6355ca39ad Merge tag 'v1.41.1' into babolivier/dinsic_1.41.0 
Synapse 1.41.1 (2021-08-31)
===========================

Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.

Security advisory
-----------------

The following issues are fixed in v1.41.1.

- **[GHSA-3x4c-pq33-4w3q](https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q) / [CVE-2021-39164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39164): Enumerating a private room's list of members and their display names.**

  If an unauthorized user both knows the Room ID of a private room *and* that room's history visibility is set to `shared`, then they may be able to enumerate the room's members, including their display names.

  The unauthorized user must be on the same homeserver as a user who is a member of the target room.

  Fixed by [52c7a51cf](https://github.com/matrix-org/synapse/commit/52c7a51cf).

- **[GHSA-jj53-8fmw-f2w2](https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2) / [CVE-2021-39163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39163): Disclosing a private room's name, avatar, topic, and number of members.**

  If an unauthorized user knows the Room ID of a private room, then its name, avatar, topic, and number of members may be disclosed through Group / Community features.

  The unauthorized user must be on the same homeserver as a user who is a member of the target room, and their homeserver must allow non-administrators to create groups (`enable_group_creation` in the Synapse configuration; off by default).

  Fixed by [cb35df940a](https://github.com/matrix-org/synapse/commit/cb35df940a), [\#10723](https://github.com/matrix-org/synapse/issues/10723).

Bugfixes
--------

- Fix a regression introduced in Synapse 1.41 which broke email transmission on systems using older versions of the Twisted library. ([\#10713](https://github.com/matrix-org/synapse/issues/10713))
2021-09-02 17:43:22 +01:00
..
api
MSC2918 Refresh tokens implementation (#9450)
2021-06-24 14:33:20 +01:00
app
Flatten the synapse.rest.client package (#10600)
2021-08-17 11:57:58 +00:00
appservice
Remove redundant "coding: utf-8" lines (#9786)
2021-04-14 15:34:27 +01:00
config
Allow using several custom template directories (#10587)
2021-08-17 10:23:14 +00:00
crypto
Rewrite the KeyRing (#10035)
2021-06-02 16:37:59 +01:00
events
Flatten the synapse.rest.client package (#10600)
2021-08-17 11:57:58 +00:00
federation
Merge tag 'v1.33.2' into babolivier/dinsic_1.41.0
2021-08-31 14:53:42 +01:00
handlers
Merge tag 'v1.41.1' into babolivier/dinsic_1.41.0
2021-09-02 17:43:22 +01:00
http
Merge tag 'v1.40.0' into babolivier/dinsic_1.41.0
2021-09-01 11:34:56 +01:00
logging
Merge branch 'master' into develop
2021-04-20 14:55:16 +01:00
module_api
Flatten the synapse.rest.client package (#10600)
2021-08-17 11:57:58 +00:00
push
Merge tag 'v1.41.0' into babolivier/dinsic_1.41.0
2021-09-01 12:18:18 +01:00
replication
Flatten the synapse.rest.client package (#10600)
2021-08-17 11:57:58 +00:00
rest
Merge tag 'v1.41.1' into babolivier/dinsic_1.41.0
2021-09-02 17:43:22 +01:00
rulecheck
Load legacy modules in tests
2021-09-02 10:49:07 +01:00
scripts
Remove redundant "coding: utf-8" lines (#9786)
2021-04-14 15:34:27 +01:00
server_notices
Flatten the synapse.rest.client package (#10600)
2021-08-17 11:57:58 +00:00
state
Update the MSC3083 support to verify if joins are from an authorized server. (#10254)
2021-07-26 12:17:00 -04:00
storage
Appease mypy
2021-09-02 11:06:45 +01:00
test_utils
Use inline type hints in tests/ (#10350)
2021-07-13 11:52:58 +01:00
util
Use inline type hints in tests/ (#10350)
2021-07-13 11:52:58 +01:00
__init__.py
Remove redundant "coding: utf-8" lines (#9786)
2021-04-14 15:34:27 +01:00
server.py
Fix incompatibility with Twisted < 21. (#10713)
2021-08-27 16:33:41 +01:00
test_distributor.py
Remove redundant "coding: utf-8" lines (#9786)
2021-04-14 15:34:27 +01:00
test_event_auth.py
Support MSC3289: Room version 8 (#10449)
2021-08-09 10:46:39 +02:00
test_federation.py
Clean up federation event auth code (#10539)
2021-08-06 13:54:23 +01:00
test_mau.py
Flatten the synapse.rest.client package (#10600)
2021-08-17 11:57:58 +00:00
test_metrics.py
Remove redundant "coding: utf-8" lines (#9786)
2021-04-14 15:34:27 +01:00
test_phone_home.py
Remove redundant "coding: utf-8" lines (#9786)
2021-04-14 15:34:27 +01:00
test_preview.py
Support underscores (in addition to hyphens) for charset detection. (#10410)
2021-07-27 17:29:42 +00:00
test_server.py
Improved validation for received requests (#9817)
2021-04-23 19:20:44 +01:00
test_state.py
Add a module type for account validity (#9884)
2021-07-16 18:11:53 +02:00
test_terms_auth.py
Flatten the synapse.rest.client package (#10600)
2021-08-17 11:57:58 +00:00
test_test_utils.py
Remove redundant "coding: utf-8" lines (#9786)
2021-04-14 15:34:27 +01:00
test_types.py
Merge tag 'v1.39.0' into babolivier/dinsic_1.41.0
2021-09-01 11:26:23 +01:00
test_visibility.py
Remove redundant "coding: utf-8" lines (#9786)
2021-04-14 15:34:27 +01:00
unittest.py
Add a new version of the R30 phone-home metric, which removes a false impression of retention given by the old R30 metric (#10332)
2021-07-19 16:11:34 +01:00
utils.py
Merge tag 'v1.40.0' into babolivier/dinsic_1.41.0
2021-09-01 11:34:56 +01:00