Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

v1.41.1

Compare
Choose a tag to compare
@richvdh richvdh released this 31 Aug 13:00
· 4221 commits to develop since this release

Synapse 1.41.1 (2021-08-31)

Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.

Security advisory

The following issues are fixed in v1.41.1.

  • GHSA-3x4c-pq33-4w3q / CVE-2021-39164: Enumerating a private room's list of members and their display names.

    If an unauthorized user both knows the Room ID of a private room and that room's history visibility is set to shared, then they may be able to enumerate the room's members, including their display names.

    The unauthorized user must be on the same homeserver as a user who is a member of the target room.

    Fixed by 52c7a51cf.

  • GHSA-jj53-8fmw-f2w2 / CVE-2021-39163: Disclosing a private room's name, avatar, topic, and number of members.

    If an unauthorized user knows the Room ID of a private room, then its name, avatar, topic, and number of members may be disclosed through Group / Community features.

    The unauthorized user must be on the same homeserver as a user who is a member of the target room, and their homeserver must allow non-administrators to create groups (enable_group_creation in the Synapse configuration; off by default).

    Fixed by cb35df940a, #10723.

Bugfixes

  • Fix a regression introduced in Synapse 1.41 which broke email transmission on systems using older versions of the Twisted library. (#10713)