This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
v1.2.1
·
8773 commits
to master
since this release
Synapse 1.2.1 (2019-07-26)
Security update
This release includes four security fixes:
- Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms. (#5767)
- Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely. Thanks to
@lrizika:matrix.orgfor identifying and responsibly disclosing this issue. (0f2ecb961) - Prevent an attack where users could be joined or parted from public rooms without their consent. Thanks to @dylangerdaly for identifying and responsibly disclosing this issue. (#5744)
- Fix a vulnerability where a federated server could spoof read-receipts from
users on other servers. Thanks to @dylangerdaly for identifying this issue too. (#5743)
Additionally, the following fix was in Synapse 1.2.0, but was not correctly identified during the original release:
- It was possible for a room moderator to send a redaction for an
m.room.createevent, which would downgrade the room to version 1. Thanks to/dev/poniesfor identifying and responsibly disclosing this issue! (#5701)