This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
v1.24.0
·
5469 commits
to develop
since this release
v1.24.0
erikjohnston
Erik Johnston
This tag was signed with the committer’s verified signature.
erikjohnston
Erik Johnston
Synapse 1.24.0 (2020-12-09)
Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.
Security advisory
The following issues are fixed in v1.23.1 and v1.24.0.
-
There is a denial of service attack (CVE-2020-26257) against the federation APIs in which future events will not be correctly sent to other servers over federation. This affects all servers that participate in open federation. (Fixed in #8776).
-
Synapse may be affected by OpenSSL CVE-2020-1971. Synapse administrators should ensure that they have the latest versions of the cryptography Python package installed.
To upgrade Synapse along with the cryptography package:
- Administrators using the
matrix.orgDocker image or the Debian/Ubuntu packages frommatrix.orgshould ensure that they have version 1.24.0 or 1.23.1 installed: these images include the updated packages. - Administrators who have installed Synapse from source should upgrade the cryptography package within their virtualenv by running:
<path_to_virtualenv>/bin/pip install 'cryptography>=3.3'
- Administrators who have installed Synapse from distribution packages should consult the information from their distributions.
Internal Changes
- Add a maximum version for pysaml2 on Python 3.5. (#8898)