Skip to content

@richvdh richvdh released this Jul 26, 2019 · 188 commits to master since this release

Synapse 1.2.1 (2019-07-26)

Security update

This release includes four security fixes:

  • Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms. (#5767)
  • Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely. Thanks to @lrizika:matrix.org for identifying and responsibly disclosing this issue. (0f2ecb961)
  • Prevent an attack where users could be joined or parted from public rooms without their consent. Thanks to @dylangerdaly for identifying and responsibly disclosing this issue. (#5744)
  • Fix a vulnerability where a federated server could spoof read-receipts from
    users on other servers. Thanks to @dylangerdaly for identifying this issue too. (#5743)

Additionally, the following fix was in Synapse 1.2.0, but was not correctly identified during the original release:

  • It was possible for a room moderator to send a redaction for an m.room.create event, which would downgrade the room to version 1. Thanks to /dev/ponies for identifying and responsibly disclosing this issue! (#5701)
Assets 2
You can’t perform that action at this time.