This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Clarify security note regarding the domain Synapse is hosted on. #9221
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@dkasak Can you add a newsfile to this? Something like |
|
Done. |
|
Thank you! 👍 I think the CI error is fixed in #9146 / unrelated. |
clokep
reviewed
Jan 26, 2021
README.rst
Outdated
Comment on lines
161
to
162
| using `CSP`_), ideally a Matrix homeserver should be hosted on a dedicated | ||
| domain name not shared by other web applications. This particularly applies to |
There was a problem hiding this comment.
Should we define better what a "dedicated domain name" means? Is a subdomain OK (e.g. matrix.example.com where other web apps might be on example.com or webmail.example.com)?
There was a problem hiding this comment.
The intention is to recommend a completely separate domain name, not a subdomain. This is because hosting on a subdomain has some subtleties and gotchas around it, such as a subdomain being able to set cookies for its ancestor domains, which then also get sent to sibling subdomains. So I think we should say that the ideal scenario is to host on a domain that is completely unrelated to any sensitive web apps (i.e. example1.com and example2.com).
How about
Whilst we make a reasonable effort to mitigate against XSS attacks (such as using
CSP_), the ideal scenario is for the Matrix homeserver to be hosted on a domain that is completely separate from any domain hosting any other sensitive web applications.That is, if you have a sensitive web application running on
example1.com, thepublic_baseurlsetting in Synapse's config file should not be set toexample1.comnor any of its subdomains, but to another domainexample2.com.Note that most of the risk involved is mitigated by ensuring that the homeserver is at least hosted on a different subdomain. Therefore, at the very least, you should ensure that if a sensitive web application is running on
example1.com, thepublic_baseurlis something likesubdomain.example1.com. However, there are some subtleties around this, such as subdomains being able to set cookies on their ancestor domains. Whether this would be problematic will depend on the concrete web applications involved.Conclusion: Ideally, host on a domain that is completely separate from domains used by other applications. At the very least, host on a subdomain that is not shared by a sensitive application.
I also see now that I accidentally dropped the developer.github.com reference and the previous discussion in the riot-web repo. The former seems useful to have, but I'm not sure the latter clarifies anything or whether it just makes it more confusing (judging by the comments there).
There was a problem hiding this comment.
Of course, since this is now mentioning the public base URL, we can't talk about it being set to a domain name. sigh I'll revise.
There was a problem hiding this comment.
@dkasak are you still planning to revise this? I think that some examples would certainly be helpful here.
There was a problem hiding this comment.
Yes, examples, that's what I need! Thanks. And yes, I'll try taking another stab at it soon (probably tomorrow).
|
Heads up that merging in develop will be required to allow CI to pass due to us recently dropping Py3.5 support. |
dkasak
commented
May 26, 2021
| ``B.example1.com`` instead, so this is also acceptable in some scenarios. | ||
| However, you should *not* host your Synapse on ``A.example1.com``. | ||
|
|
||
| Note that all of the above refers exclusively to the domain used in Synapse's |
There was a problem hiding this comment.
I'm not sure whether this paragraph is confusing or clarifying. I thought it was good to mention the setting it is talking about explicitly. Thoughts?
aaronraimist
added a commit
to aaronraimist/synapse
that referenced
this pull request
Jun 17, 2021
Synapse 1.36.0 (2021-06-15) =========================== No significant changes. Synapse 1.36.0rc2 (2021-06-11) ============================== Bugfixes -------- - Fix a bug which caused presence updates to stop working some time after a restart, when using a presence writer worker. Broke in v1.33.0. ([\matrix-org#10149](matrix-org#10149)) - Fix a bug when using federation sender worker where it would send out more presence updates than necessary, leading to high resource usage. Broke in v1.33.0. ([\matrix-org#10163](matrix-org#10163)) - Fix a bug where Synapse could send the same presence update to a remote twice. ([\matrix-org#10165](matrix-org#10165)) Synapse 1.36.0rc1 (2021-06-08) ============================== Features -------- - Add new endpoint `/_matrix/client/r0/rooms/{roomId}/aliases` from Client-Server API r0.6.1 (previously [MSC2432](matrix-org/matrix-spec-proposals#2432)). ([\matrix-org#9224](matrix-org#9224)) - Improve performance of incoming federation transactions in large rooms. ([\matrix-org#9953](matrix-org#9953), [\matrix-org#9973](matrix-org#9973)) - Rewrite logic around verifying JSON object and fetching server keys to be more performant and use less memory. ([\matrix-org#10035](matrix-org#10035)) - Add new admin APIs for unprotecting local media from quarantine. Contributed by @dklimpel. ([\matrix-org#10040](matrix-org#10040)) - Add new admin APIs to remove media by media ID from quarantine. Contributed by @dklimpel. ([\matrix-org#10044](matrix-org#10044)) - Make reason and score parameters optional for reporting content. Implements [MSC2414](matrix-org/matrix-spec-proposals#2414). Contributed by Callum Brown. ([\matrix-org#10077](matrix-org#10077)) - Add support for routing more requests to workers. ([\matrix-org#10084](matrix-org#10084)) - Report OpenTracing spans for database activity. ([\matrix-org#10113](matrix-org#10113), [\matrix-org#10136](matrix-org#10136), [\matrix-org#10141](matrix-org#10141)) - Significantly reduce memory usage of joining large remote rooms. ([\matrix-org#10117](matrix-org#10117)) Bugfixes -------- - Fixed a bug causing replication requests to fail when receiving a lot of events via federation. ([\matrix-org#10082](matrix-org#10082)) - Fix a bug in the `force_tracing_for_users` option introduced in Synapse v1.35 which meant that the OpenTracing spans produced were missing most tags. ([\matrix-org#10092](matrix-org#10092)) - Fixed a bug that could cause Synapse to stop notifying application services. Contributed by Willem Mulder. ([\matrix-org#10107](matrix-org#10107)) - Fix bug where the server would attempt to fetch the same history in the room from a remote server multiple times in parallel. ([\matrix-org#10116](matrix-org#10116)) - Fix a bug introduced in Synapse 1.33.0 which caused replication requests to fail when receiving a lot of very large events via federation. ([\matrix-org#10118](matrix-org#10118)) - Fix bug when using workers where pagination requests failed if a remote server returned zero events from `/backfill`. Introduced in 1.35.0. ([\matrix-org#10133](matrix-org#10133)) Improved Documentation ---------------------- - Clarify security note regarding hosting Synapse on the same domain as other web applications. ([\matrix-org#9221](matrix-org#9221)) - Update CAPTCHA documentation to mention turning off the verify origin feature. Contributed by @aaronraimist. ([\matrix-org#10046](matrix-org#10046)) - Tweak wording of database recommendation in `INSTALL.md`. Contributed by @aaronraimist. ([\matrix-org#10057](matrix-org#10057)) - Add initial infrastructure for rendering Synapse documentation with mdbook. ([\matrix-org#10086](matrix-org#10086)) - Convert the remaining Admin API documentation files to markdown. ([\matrix-org#10089](matrix-org#10089)) - Make a link in docs use HTTPS. Contributed by @RhnSharma. ([\matrix-org#10130](matrix-org#10130)) - Fix broken link in Docker docs. ([\matrix-org#10132](matrix-org#10132)) Deprecations and Removals ------------------------- - Remove the experimental `spaces_enabled` flag. The spaces features are always available now. ([\matrix-org#10063](matrix-org#10063)) Internal Changes ---------------- - Tell CircleCI to build Docker images from `main` branch. ([\matrix-org#9906](matrix-org#9906)) - Simplify naming convention for release branches to only include the major and minor version numbers. ([\matrix-org#10013](matrix-org#10013)) - Add `parse_strings_from_args` for parsing an array from query parameters. ([\matrix-org#10048](matrix-org#10048), [\matrix-org#10137](matrix-org#10137)) - Remove some dead code regarding TLS certificate handling. ([\matrix-org#10054](matrix-org#10054)) - Remove redundant, unmaintained `convert_server_keys` script. ([\matrix-org#10055](matrix-org#10055)) - Improve the error message printed by synctl when synapse fails to start. ([\matrix-org#10059](matrix-org#10059)) - Fix GitHub Actions lint for newsfragments. ([\matrix-org#10069](matrix-org#10069)) - Update opentracing to inject the right context into the carrier. ([\matrix-org#10074](matrix-org#10074)) - Fix up `BatchingQueue` implementation. ([\matrix-org#10078](matrix-org#10078)) - Log method and path when dropping request due to size limit. ([\matrix-org#10091](matrix-org#10091)) - In Github Actions workflows, summarize the Sytest results in an easy-to-read format. ([\matrix-org#10094](matrix-org#10094)) - Make `/sync` do fewer state resolutions. ([\matrix-org#10102](matrix-org#10102)) - Add missing type hints to the admin API servlets. ([\matrix-org#10105](matrix-org#10105)) - Improve opentracing annotations for `Notifier`. ([\matrix-org#10111](matrix-org#10111)) - Enable Prometheus metrics for the jaeger client library. ([\matrix-org#10112](matrix-org#10112)) - Work to improve the responsiveness of `/sync` requests. ([\matrix-org#10124](matrix-org#10124)) - OpenTracing: use a consistent name for background processes. ([\matrix-org#10135](matrix-org#10135))
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Jul 1, 2021
Synapse 1.37.0 (2021-06-29) =========================== This release deprecates the current spam checker interface. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#deprecation-of-the-current-spam-checker-interface) for more information on how to update to the new generic module interface. This release also removes support for fetching and renewing TLS certificates using the ACME v1 protocol, which has been fully decommissioned by Let's Encrypt on June 1st 2021. Admins previously using this feature should use a [reverse proxy](https://matrix-org.github.io/synapse/develop/reverse_proxy.html) to handle TLS termination, or use an external ACME client (such as [certbot](https://certbot.eff.org/)) to retrieve a certificate and key and provide them to Synapse using the `tls_certificate_path` and `tls_private_key_path` configuration settings. Synapse 1.37.0rc1 (2021-06-24) ============================== Features -------- - Implement "room knocking" as per [MSC2403](matrix-org/matrix-spec-proposals#2403). Contributed by @Sorunome and anoa. ([\#6739](matrix-org/synapse#6739), [\#9359](matrix-org/synapse#9359), [\#10167](matrix-org/synapse#10167), [\#10212](matrix-org/synapse#10212), [\#10227](matrix-org/synapse#10227)) - Add experimental support for backfilling history into rooms ([MSC2716](matrix-org/matrix-spec-proposals#2716)). ([\#9247](matrix-org/synapse#9247)) - Implement a generic interface for third-party plugin modules. ([\#10062](matrix-org/synapse#10062), [\#10206](matrix-org/synapse#10206)) - Implement config option `sso.update_profile_information` to sync SSO users' profile information with the identity provider each time they login. Currently only displayname is supported. ([\#10108](matrix-org/synapse#10108)) - Ensure that errors during startup are written to the logs and the console. ([\#10191](matrix-org/synapse#10191)) Bugfixes -------- - Fix a bug introduced in Synapse v1.25.0 that prevented the `ip_range_whitelist` configuration option from working for federation and identity servers. Contributed by @mikure. ([\#10115](matrix-org/synapse#10115)) - Remove a broken import line in Synapse's `admin_cmd` worker. Broke in Synapse v1.33.0. ([\#10154](matrix-org/synapse#10154)) - Fix a bug introduced in Synapse v1.21.0 which could cause `/sync` to return immediately with an empty response. ([\#10157](matrix-org/synapse#10157), [\#10158](matrix-org/synapse#10158)) - Fix a minor bug in the response to `/_matrix/client/r0/user/{user}/openid/request_token` causing `expires_in` to be a float instead of an integer. Contributed by @lukaslihotzki. ([\#10175](matrix-org/synapse#10175)) - Always require users to re-authenticate for dangerous operations: deactivating an account, modifying an account password, and adding 3PIDs. ([\#10184](matrix-org/synapse#10184)) - Fix a bug introduced in Synpase v1.7.2 where remote server count metrics collection would be incorrectly delayed on startup. Found by @heftig. ([\#10195](matrix-org/synapse#10195)) - Fix a bug introduced in Synapse v1.35.1 where an `allow` key of a `m.room.join_rules` event could be applied for incorrect room versions and configurations. ([\#10208](matrix-org/synapse#10208)) - Fix performance regression in responding to user key requests over federation. Introduced in Synapse v1.34.0rc1. ([\#10221](matrix-org/synapse#10221)) Improved Documentation ---------------------- - Add a new guide to decoding request logs. ([\#8436](matrix-org/synapse#8436)) - Mention in the sample homeserver config that you may need to configure max upload size in your reverse proxy. Contributed by @aaronraimist. ([\#10122](matrix-org/synapse#10122)) - Fix broken links in documentation. ([\#10180](matrix-org/synapse#10180)) - Deploy a snapshot of the documentation website upon each new Synapse release. ([\#10198](matrix-org/synapse#10198)) Deprecations and Removals ------------------------- - The current spam checker interface is deprecated in favour of a new generic modules system. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#deprecation-of-the-current-spam-checker-interface) for more information on how to update to the new system. ([\#10062](matrix-org/synapse#10062), [\#10210](matrix-org/synapse#10210), [\#10238](matrix-org/synapse#10238)) - Stop supporting the unstable spaces prefixes from MSC1772. ([\#10161](matrix-org/synapse#10161)) - Remove Synapse's support for automatically fetching and renewing certificates using the ACME v1 protocol. This protocol has been fully turned off by Let's Encrypt for existing installations on June 1st 2021. Admins previously using this feature should use a [reverse proxy](https://matrix-org.github.io/synapse/develop/reverse_proxy.html) to handle TLS termination, or use an external ACME client (such as [certbot](https://certbot.eff.org/)) to retrieve a certificate and key and provide them to Synapse using the `tls_certificate_path` and `tls_private_key_path` configuration settings. ([\#10194](matrix-org/synapse#10194)) Internal Changes ---------------- - Update the database schema versioning to support gradual migration away from legacy tables. ([\#9933](matrix-org/synapse#9933)) - Add type hints to the federation servlets. ([\#10080](matrix-org/synapse#10080)) - Improve OpenTracing for event persistence. ([\#10134](matrix-org/synapse#10134), [\#10193](matrix-org/synapse#10193)) - Clean up the interface for injecting OpenTracing over HTTP. ([\#10143](matrix-org/synapse#10143)) - Limit the number of in-flight `/keys/query` requests from a single device. ([\#10144](matrix-org/synapse#10144)) - Refactor EventPersistenceQueue. ([\#10145](matrix-org/synapse#10145)) - Document `SYNAPSE_TEST_LOG_LEVEL` to see the logger output when running tests. ([\#10148](matrix-org/synapse#10148)) - Update the Complement build tags in GitHub Actions to test currently experimental features. ([\#10155](matrix-org/synapse#10155)) - Add a `synapse_federation_soft_failed_events_total` metric to track how often events are soft failed. ([\#10156](matrix-org/synapse#10156)) - Fetch the corresponding complement branch when performing CI. ([\#10160](matrix-org/synapse#10160)) - Add some developer documentation about boolean columns in database schemas. ([\#10164](matrix-org/synapse#10164)) - Add extra logging fields to better debug where events are being soft failed. ([\#10168](matrix-org/synapse#10168)) - Add debug logging for when we enter and exit `Measure` blocks. ([\#10183](matrix-org/synapse#10183)) - Improve comments in structured logging code. ([\#10188](matrix-org/synapse#10188)) - Update [MSC3083](matrix-org/matrix-spec-proposals#3083) support with modifications from the MSC. ([\#10189](matrix-org/synapse#10189)) - Remove redundant DNS lookup limiter. ([\#10190](matrix-org/synapse#10190)) - Upgrade `black` linting tool to 21.6b0. ([\#10197](matrix-org/synapse#10197)) - Expose OpenTracing trace id in response headers. ([\#10199](matrix-org/synapse#10199)) Synapse 1.36.0 (2021-06-15) =========================== No significant changes. Synapse 1.36.0rc2 (2021-06-11) ============================== Bugfixes -------- - Fix a bug which caused presence updates to stop working some time after a restart, when using a presence writer worker. Broke in v1.33.0. ([\#10149](matrix-org/synapse#10149)) - Fix a bug when using federation sender worker where it would send out more presence updates than necessary, leading to high resource usage. Broke in v1.33.0. ([\#10163](matrix-org/synapse#10163)) - Fix a bug where Synapse could send the same presence update to a remote twice. ([\#10165](matrix-org/synapse#10165)) Synapse 1.36.0rc1 (2021-06-08) ============================== Features -------- - Add new endpoint `/_matrix/client/r0/rooms/{roomId}/aliases` from Client-Server API r0.6.1 (previously [MSC2432](matrix-org/matrix-spec-proposals#2432)). ([\#9224](matrix-org/synapse#9224)) - Improve performance of incoming federation transactions in large rooms. ([\#9953](matrix-org/synapse#9953), [\#9973](matrix-org/synapse#9973)) - Rewrite logic around verifying JSON object and fetching server keys to be more performant and use less memory. ([\#10035](matrix-org/synapse#10035)) - Add new admin APIs for unprotecting local media from quarantine. Contributed by @dklimpel. ([\#10040](matrix-org/synapse#10040)) - Add new admin APIs to remove media by media ID from quarantine. Contributed by @dklimpel. ([\#10044](matrix-org/synapse#10044)) - Make reason and score parameters optional for reporting content. Implements [MSC2414](matrix-org/matrix-spec-proposals#2414). Contributed by Callum Brown. ([\#10077](matrix-org/synapse#10077)) - Add support for routing more requests to workers. ([\#10084](matrix-org/synapse#10084)) - Report OpenTracing spans for database activity. ([\#10113](matrix-org/synapse#10113), [\#10136](matrix-org/synapse#10136), [\#10141](matrix-org/synapse#10141)) - Significantly reduce memory usage of joining large remote rooms. ([\#10117](matrix-org/synapse#10117)) Bugfixes -------- - Fixed a bug causing replication requests to fail when receiving a lot of events via federation. ([\#10082](matrix-org/synapse#10082)) - Fix a bug in the `force_tracing_for_users` option introduced in Synapse v1.35 which meant that the OpenTracing spans produced were missing most tags. ([\#10092](matrix-org/synapse#10092)) - Fixed a bug that could cause Synapse to stop notifying application services. Contributed by Willem Mulder. ([\#10107](matrix-org/synapse#10107)) - Fix bug where the server would attempt to fetch the same history in the room from a remote server multiple times in parallel. ([\#10116](matrix-org/synapse#10116)) - Fix a bug introduced in Synapse 1.33.0 which caused replication requests to fail when receiving a lot of very large events via federation. ([\#10118](matrix-org/synapse#10118)) - Fix bug when using workers where pagination requests failed if a remote server returned zero events from `/backfill`. Introduced in 1.35.0. ([\#10133](matrix-org/synapse#10133)) Improved Documentation ---------------------- - Clarify security note regarding hosting Synapse on the same domain as other web applications. ([\#9221](matrix-org/synapse#9221)) - Update CAPTCHA documentation to mention turning off the verify origin feature. Contributed by @aaronraimist. ([\#10046](matrix-org/synapse#10046)) - Tweak wording of database recommendation in `INSTALL.md`. Contributed by @aaronraimist. ([\#10057](matrix-org/synapse#10057)) - Add initial infrastructure for rendering Synapse documentation with mdbook. ([\#10086](matrix-org/synapse#10086)) - Convert the remaining Admin API documentation files to markdown. ([\#10089](matrix-org/synapse#10089)) - Make a link in docs use HTTPS. Contributed by @RhnSharma. ([\#10130](matrix-org/synapse#10130)) - Fix broken link in Docker docs. ([\#10132](matrix-org/synapse#10132)) Deprecations and Removals ------------------------- - Remove the experimental `spaces_enabled` flag. The spaces features are always available now. ([\#10063](matrix-org/synapse#10063)) Internal Changes ---------------- - Tell CircleCI to build Docker images from `main` branch. ([\#9906](matrix-org/synapse#9906)) - Simplify naming convention for release branches to only include the major and minor version numbers. ([\#10013](matrix-org/synapse#10013)) - Add `parse_strings_from_args` for parsing an array from query parameters. ([\#10048](matrix-org/synapse#10048), [\#10137](matrix-org/synapse#10137)) - Remove some dead code regarding TLS certificate handling. ([\#10054](matrix-org/synapse#10054)) - Remove redundant, unmaintained `convert_server_keys` script. ([\#10055](matrix-org/synapse#10055)) - Improve the error message printed by synctl when synapse fails to start. ([\#10059](matrix-org/synapse#10059)) - Fix GitHub Actions lint for newsfragments. ([\#10069](matrix-org/synapse#10069)) - Update opentracing to inject the right context into the carrier. ([\#10074](matrix-org/synapse#10074)) - Fix up `BatchingQueue` implementation. ([\#10078](matrix-org/synapse#10078)) - Log method and path when dropping request due to size limit. ([\#10091](matrix-org/synapse#10091)) - In Github Actions workflows, summarize the Sytest results in an easy-to-read format. ([\#10094](matrix-org/synapse#10094)) - Make `/sync` do fewer state resolutions. ([\#10102](matrix-org/synapse#10102)) - Add missing type hints to the admin API servlets. ([\#10105](matrix-org/synapse#10105)) - Improve opentracing annotations for `Notifier`. ([\#10111](matrix-org/synapse#10111)) - Enable Prometheus metrics for the jaeger client library. ([\#10112](matrix-org/synapse#10112)) - Work to improve the responsiveness of `/sync` requests. ([\#10124](matrix-org/synapse#10124)) - OpenTracing: use a consistent name for background processes. ([\#10135](matrix-org/synapse#10135))
babolivier
added a commit
to matrix-org/synapse-dinsic
that referenced
this pull request
Sep 1, 2021
Synapse 1.36.0 (2021-06-15) =========================== No significant changes. Synapse 1.36.0rc2 (2021-06-11) ============================== Bugfixes -------- - Fix a bug which caused presence updates to stop working some time after a restart, when using a presence writer worker. Broke in v1.33.0. ([\#10149](matrix-org/synapse#10149)) - Fix a bug when using federation sender worker where it would send out more presence updates than necessary, leading to high resource usage. Broke in v1.33.0. ([\#10163](matrix-org/synapse#10163)) - Fix a bug where Synapse could send the same presence update to a remote twice. ([\#10165](matrix-org/synapse#10165)) Synapse 1.36.0rc1 (2021-06-08) ============================== Features -------- - Add new endpoint `/_matrix/client/r0/rooms/{roomId}/aliases` from Client-Server API r0.6.1 (previously [MSC2432](matrix-org/matrix-spec-proposals#2432)). ([\#9224](matrix-org/synapse#9224)) - Improve performance of incoming federation transactions in large rooms. ([\#9953](matrix-org/synapse#9953), [\#9973](matrix-org/synapse#9973)) - Rewrite logic around verifying JSON object and fetching server keys to be more performant and use less memory. ([\#10035](matrix-org/synapse#10035)) - Add new admin APIs for unprotecting local media from quarantine. Contributed by @dklimpel. ([\#10040](matrix-org/synapse#10040)) - Add new admin APIs to remove media by media ID from quarantine. Contributed by @dklimpel. ([\#10044](matrix-org/synapse#10044)) - Make reason and score parameters optional for reporting content. Implements [MSC2414](matrix-org/matrix-spec-proposals#2414). Contributed by Callum Brown. ([\#10077](matrix-org/synapse#10077)) - Add support for routing more requests to workers. ([\#10084](matrix-org/synapse#10084)) - Report OpenTracing spans for database activity. ([\#10113](matrix-org/synapse#10113), [\#10136](matrix-org/synapse#10136), [\#10141](matrix-org/synapse#10141)) - Significantly reduce memory usage of joining large remote rooms. ([\#10117](matrix-org/synapse#10117)) Bugfixes -------- - Fixed a bug causing replication requests to fail when receiving a lot of events via federation. ([\#10082](matrix-org/synapse#10082)) - Fix a bug in the `force_tracing_for_users` option introduced in Synapse v1.35 which meant that the OpenTracing spans produced were missing most tags. ([\#10092](matrix-org/synapse#10092)) - Fixed a bug that could cause Synapse to stop notifying application services. Contributed by Willem Mulder. ([\#10107](matrix-org/synapse#10107)) - Fix bug where the server would attempt to fetch the same history in the room from a remote server multiple times in parallel. ([\#10116](matrix-org/synapse#10116)) - Fix a bug introduced in Synapse 1.33.0 which caused replication requests to fail when receiving a lot of very large events via federation. ([\#10118](matrix-org/synapse#10118)) - Fix bug when using workers where pagination requests failed if a remote server returned zero events from `/backfill`. Introduced in 1.35.0. ([\#10133](matrix-org/synapse#10133)) Improved Documentation ---------------------- - Clarify security note regarding hosting Synapse on the same domain as other web applications. ([\#9221](matrix-org/synapse#9221)) - Update CAPTCHA documentation to mention turning off the verify origin feature. Contributed by @aaronraimist. ([\#10046](matrix-org/synapse#10046)) - Tweak wording of database recommendation in `INSTALL.md`. Contributed by @aaronraimist. ([\#10057](matrix-org/synapse#10057)) - Add initial infrastructure for rendering Synapse documentation with mdbook. ([\#10086](matrix-org/synapse#10086)) - Convert the remaining Admin API documentation files to markdown. ([\#10089](matrix-org/synapse#10089)) - Make a link in docs use HTTPS. Contributed by @RhnSharma. ([\#10130](matrix-org/synapse#10130)) - Fix broken link in Docker docs. ([\#10132](matrix-org/synapse#10132)) Deprecations and Removals ------------------------- - Remove the experimental `spaces_enabled` flag. The spaces features are always available now. ([\#10063](matrix-org/synapse#10063)) Internal Changes ---------------- - Tell CircleCI to build Docker images from `main` branch. ([\#9906](matrix-org/synapse#9906)) - Simplify naming convention for release branches to only include the major and minor version numbers. ([\#10013](matrix-org/synapse#10013)) - Add `parse_strings_from_args` for parsing an array from query parameters. ([\#10048](matrix-org/synapse#10048), [\#10137](matrix-org/synapse#10137)) - Remove some dead code regarding TLS certificate handling. ([\#10054](matrix-org/synapse#10054)) - Remove redundant, unmaintained `convert_server_keys` script. ([\#10055](matrix-org/synapse#10055)) - Improve the error message printed by synctl when synapse fails to start. ([\#10059](matrix-org/synapse#10059)) - Fix GitHub Actions lint for newsfragments. ([\#10069](matrix-org/synapse#10069)) - Update opentracing to inject the right context into the carrier. ([\#10074](matrix-org/synapse#10074)) - Fix up `BatchingQueue` implementation. ([\#10078](matrix-org/synapse#10078)) - Log method and path when dropping request due to size limit. ([\#10091](matrix-org/synapse#10091)) - In Github Actions workflows, summarize the Sytest results in an easy-to-read format. ([\#10094](matrix-org/synapse#10094)) - Make `/sync` do fewer state resolutions. ([\#10102](matrix-org/synapse#10102)) - Add missing type hints to the admin API servlets. ([\#10105](matrix-org/synapse#10105)) - Improve opentracing annotations for `Notifier`. ([\#10111](matrix-org/synapse#10111)) - Enable Prometheus metrics for the jaeger client library. ([\#10112](matrix-org/synapse#10112)) - Work to improve the responsiveness of `/sync` requests. ([\#10124](matrix-org/synapse#10124)) - OpenTracing: use a consistent name for background processes. ([\#10135](matrix-org/synapse#10135))
Fizzadar
pushed a commit
to Fizzadar/synapse
that referenced
this pull request
Oct 26, 2021
Synapse 1.36.0 (2021-06-15) =========================== No significant changes. Synapse 1.36.0rc2 (2021-06-11) ============================== Bugfixes -------- - Fix a bug which caused presence updates to stop working some time after a restart, when using a presence writer worker. Broke in v1.33.0. ([\matrix-org#10149](matrix-org#10149)) - Fix a bug when using federation sender worker where it would send out more presence updates than necessary, leading to high resource usage. Broke in v1.33.0. ([\matrix-org#10163](matrix-org#10163)) - Fix a bug where Synapse could send the same presence update to a remote twice. ([\matrix-org#10165](matrix-org#10165)) Synapse 1.36.0rc1 (2021-06-08) ============================== Features -------- - Add new endpoint `/_matrix/client/r0/rooms/{roomId}/aliases` from Client-Server API r0.6.1 (previously [MSC2432](matrix-org/matrix-spec-proposals#2432)). ([\matrix-org#9224](matrix-org#9224)) - Improve performance of incoming federation transactions in large rooms. ([\matrix-org#9953](matrix-org#9953), [\matrix-org#9973](matrix-org#9973)) - Rewrite logic around verifying JSON object and fetching server keys to be more performant and use less memory. ([\matrix-org#10035](matrix-org#10035)) - Add new admin APIs for unprotecting local media from quarantine. Contributed by @dklimpel. ([\matrix-org#10040](matrix-org#10040)) - Add new admin APIs to remove media by media ID from quarantine. Contributed by @dklimpel. ([\matrix-org#10044](matrix-org#10044)) - Make reason and score parameters optional for reporting content. Implements [MSC2414](matrix-org/matrix-spec-proposals#2414). Contributed by Callum Brown. ([\matrix-org#10077](matrix-org#10077)) - Add support for routing more requests to workers. ([\matrix-org#10084](matrix-org#10084)) - Report OpenTracing spans for database activity. ([\matrix-org#10113](matrix-org#10113), [\matrix-org#10136](matrix-org#10136), [\matrix-org#10141](matrix-org#10141)) - Significantly reduce memory usage of joining large remote rooms. ([\matrix-org#10117](matrix-org#10117)) Bugfixes -------- - Fixed a bug causing replication requests to fail when receiving a lot of events via federation. ([\matrix-org#10082](matrix-org#10082)) - Fix a bug in the `force_tracing_for_users` option introduced in Synapse v1.35 which meant that the OpenTracing spans produced were missing most tags. ([\matrix-org#10092](matrix-org#10092)) - Fixed a bug that could cause Synapse to stop notifying application services. Contributed by Willem Mulder. ([\matrix-org#10107](matrix-org#10107)) - Fix bug where the server would attempt to fetch the same history in the room from a remote server multiple times in parallel. ([\matrix-org#10116](matrix-org#10116)) - Fix a bug introduced in Synapse 1.33.0 which caused replication requests to fail when receiving a lot of very large events via federation. ([\matrix-org#10118](matrix-org#10118)) - Fix bug when using workers where pagination requests failed if a remote server returned zero events from `/backfill`. Introduced in 1.35.0. ([\matrix-org#10133](matrix-org#10133)) Improved Documentation ---------------------- - Clarify security note regarding hosting Synapse on the same domain as other web applications. ([\matrix-org#9221](matrix-org#9221)) - Update CAPTCHA documentation to mention turning off the verify origin feature. Contributed by @aaronraimist. ([\matrix-org#10046](matrix-org#10046)) - Tweak wording of database recommendation in `INSTALL.md`. Contributed by @aaronraimist. ([\matrix-org#10057](matrix-org#10057)) - Add initial infrastructure for rendering Synapse documentation with mdbook. ([\matrix-org#10086](matrix-org#10086)) - Convert the remaining Admin API documentation files to markdown. ([\matrix-org#10089](matrix-org#10089)) - Make a link in docs use HTTPS. Contributed by @RhnSharma. ([\matrix-org#10130](matrix-org#10130)) - Fix broken link in Docker docs. ([\matrix-org#10132](matrix-org#10132)) Deprecations and Removals ------------------------- - Remove the experimental `spaces_enabled` flag. The spaces features are always available now. ([\matrix-org#10063](matrix-org#10063)) Internal Changes ---------------- - Tell CircleCI to build Docker images from `main` branch. ([\matrix-org#9906](matrix-org#9906)) - Simplify naming convention for release branches to only include the major and minor version numbers. ([\matrix-org#10013](matrix-org#10013)) - Add `parse_strings_from_args` for parsing an array from query parameters. ([\matrix-org#10048](matrix-org#10048), [\matrix-org#10137](matrix-org#10137)) - Remove some dead code regarding TLS certificate handling. ([\matrix-org#10054](matrix-org#10054)) - Remove redundant, unmaintained `convert_server_keys` script. ([\matrix-org#10055](matrix-org#10055)) - Improve the error message printed by synctl when synapse fails to start. ([\matrix-org#10059](matrix-org#10059)) - Fix GitHub Actions lint for newsfragments. ([\matrix-org#10069](matrix-org#10069)) - Update opentracing to inject the right context into the carrier. ([\matrix-org#10074](matrix-org#10074)) - Fix up `BatchingQueue` implementation. ([\matrix-org#10078](matrix-org#10078)) - Log method and path when dropping request due to size limit. ([\matrix-org#10091](matrix-org#10091)) - In Github Actions workflows, summarize the Sytest results in an easy-to-read format. ([\matrix-org#10094](matrix-org#10094)) - Make `/sync` do fewer state resolutions. ([\matrix-org#10102](matrix-org#10102)) - Add missing type hints to the admin API servlets. ([\matrix-org#10105](matrix-org#10105)) - Improve opentracing annotations for `Notifier`. ([\matrix-org#10111](matrix-org#10111)) - Enable Prometheus metrics for the jaeger client library. ([\matrix-org#10112](matrix-org#10112)) - Work to improve the responsiveness of `/sync` requests. ([\matrix-org#10124](matrix-org#10124)) - OpenTracing: use a consistent name for background processes. ([\matrix-org#10135](matrix-org#10135))
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The intent is to make it clearer that running Synapse on the same domain as another sensitive web application is not a good idea due to possibility of XSS.
Pull Request Checklist
Signed-off-by: Denis Kasak dkasak@termina.org.uk