Skip to content

Commit

Permalink
Merge tag 'v1.85.0' into develop
Browse files Browse the repository at this point in the history
Synapse 1.85.0 (2023-06-06)
===========================

No significant changes since 1.85.0rc2.

The following issues are fixed in 1.85.0 (and RCs).

- [GHSA-26c5-ppr8-f33p](GHSA-26c5-ppr8-f33p) / [CVE-2023-32682](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32683) — Low Severity

  It may be possible for a deactivated user to login when using uncommon configurations.

- [GHSA-98px-6486-j7qc](GHSA-98px-6486-j7qc) / [CVE-2023-32683](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32683) — Low Severity

  A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs).

See the advisories for more details. If you have any questions, email security@matrix.org.

Synapse 1.85.0rc2 (2023-06-01)
==============================

Bugfixes
--------

- Fix a performance issue introduced in Synapse v1.83.0 which meant that purging rooms was very slow and database-intensive. ([\matrix-org#15693](matrix-org#15693))

Deprecations and Removals
-------------------------

- Deprecate calling the `/register` endpoint with an unspecced `user` property for application services. ([\matrix-org#15703](matrix-org#15703))

Internal Changes
----------------

- Speed up background jobs `populate_full_user_id_user_filters` and `populate_full_user_id_profiles`. ([\matrix-org#15700](matrix-org#15700))

Synapse 1.85.0rc1 (2023-05-30)
==============================

Features
--------

- Improve performance of backfill requests by performing backfill of previously failed requests in the background. ([\matrix-org#15585](matrix-org#15585))
- Add a new [admin API](https://matrix-org.github.io/synapse/v1.85/usage/administration/admin_api/index.html) to [create a new device for a user](https://matrix-org.github.io/synapse/v1.85/admin_api/user_admin_api.html#create-a-device). ([\matrix-org#15611](matrix-org#15611))
- Add Unix socket support for Redis connections. Contributed by Jason Little. ([\matrix-org#15644](matrix-org#15644))

Bugfixes
--------

- Fix a long-standing bug where setting the read marker could fail when using message retention. Contributed by Nick @ Beeper (@Fizzadar). ([\matrix-org#15464](matrix-org#15464))
- Fix a long-standing bug where the `url_preview_url_blacklist` configuration setting was not applied to oEmbed or image URLs found while previewing a URL. ([\matrix-org#15601](matrix-org#15601))
- Fix a long-standing bug where filters with multiple backslashes were rejected. ([\matrix-org#15607](matrix-org#15607))
- Fix a bug introduced in Synapse 1.82.0 where the error message displayed when validation of the `app_service_config_files` config option fails would be incorrectly formatted. ([\matrix-org#15614](matrix-org#15614))
- Fix a long-standing bug where deactivated users were still able to login using the custom `org.matrix.login.jwt` login type (if enabled). ([\matrix-org#15624](matrix-org#15624))
- Fix a long-standing bug where deactivated users were able to login in uncommon situations. ([\matrix-org#15634](matrix-org#15634))

Improved Documentation
----------------------

- Warn users that at least 3.75GB of space is needed for the nix Synapse development environment. ([\matrix-org#15613](matrix-org#15613))
- Remove outdated comment from the generated and sample homeserver log configs. ([\matrix-org#15648](matrix-org#15648))
- Improve contributor docs to make it more clear that Rust is a necessary prerequisite. Contributed by @grantm. ([\matrix-org#15668](matrix-org#15668))

Deprecations and Removals
-------------------------

- Remove the old version of the R30 (30-day retained users) phone-home metric. ([\matrix-org#10428](matrix-org#10428))

Internal Changes
----------------

- Create dependabot changelogs at release time. ([\matrix-org#15481](matrix-org#15481))
- Add not null constraint to column `full_user_id` of tables `profiles` and `user_filters`. ([\matrix-org#15537](matrix-org#15537))
- Allow connecting to HTTP Replication Endpoints by using `worker_name` when constructing the request. ([\matrix-org#15578](matrix-org#15578))
- Make the `thread_id` column on `event_push_actions`, `event_push_actions_staging`, and `event_push_summary` non-null. ([\matrix-org#15597](matrix-org#15597))
- Run mypy type checking with the minimum supported Python version to catch new usage that isn't backwards-compatible. ([\matrix-org#15602](matrix-org#15602))
- Fix subscriptable type usage in Python <3.9. ([\matrix-org#15604](matrix-org#15604))
- Update internal terminology. ([\matrix-org#15606](matrix-org#15606), [\matrix-org#15620](matrix-org#15620))
- Instrument `state` and `state_group` storage-related operations to better picture what's happening when tracing. ([\matrix-org#15610](matrix-org#15610), [\matrix-org#15647](matrix-org#15647))
- Trace how many new events from the backfill response we need to process. ([\matrix-org#15633](matrix-org#15633))
- Re-type config paths in `ConfigError`s to be `StrSequence`s instead of `Iterable[str]`s. ([\matrix-org#15615](matrix-org#15615))
- Update Mutual Rooms ([MSC2666](matrix-org/matrix-spec-proposals#2666)) implementation to match new proposal text. ([\matrix-org#15621](matrix-org#15621))
- Remove the unstable identifiers from faster joins ([MSC3706](matrix-org/matrix-spec-proposals#3706)). ([\matrix-org#15625](matrix-org#15625))
- Fix the olddeps CI. ([\matrix-org#15626](matrix-org#15626))
- Remove duplicate timestamp from test logs (`_trial_temp/test.log`). ([\matrix-org#15636](matrix-org#15636))
- Fix two memory leaks in `trial` test runs. ([\matrix-org#15630](matrix-org#15630))
- Limit the size of the `HomeServerConfig` cache in trial test runs. ([\matrix-org#15646](matrix-org#15646))
- Improve type hints. ([\matrix-org#15658](matrix-org#15658), [\matrix-org#15659](matrix-org#15659))
- Add requesting user id parameter to key claim methods in `TransportLayerClient`. ([\matrix-org#15663](matrix-org#15663))
- Speed up rebuilding of the user directory for local users. ([\matrix-org#15665](matrix-org#15665))
- Implement "option 2" for [MSC3820](matrix-org/matrix-spec-proposals#3820): Room version 11. ([\matrix-org#15666](matrix-org#15666), [\matrix-org#15678](matrix-org#15678))

* Bump furo from 2023.3.27 to 2023.5.20. ([\matrix-org#15642](matrix-org#15642))
* Bump log from 0.4.17 to 0.4.18. ([\matrix-org#15681](matrix-org#15681))
* Bump prometheus-client from 0.16.0 to 0.17.0. ([\matrix-org#15682](matrix-org#15682))
* Bump pydantic from 1.10.7 to 1.10.8. ([\matrix-org#15685](matrix-org#15685))
* Bump pygithub from 1.58.1 to 1.58.2. ([\matrix-org#15643](matrix-org#15643))
* Bump requests from 2.28.2 to 2.31.0. ([\matrix-org#15651](matrix-org#15651))
* Bump sphinx from 6.1.3 to 6.2.1. ([\matrix-org#15641](matrix-org#15641))
* Bump types-bleach from 6.0.0.1 to 6.0.0.3. ([\matrix-org#15686](matrix-org#15686))
* Bump types-pillow from 9.5.0.2 to 9.5.0.4. ([\matrix-org#15640](matrix-org#15640))
* Bump types-pyyaml from 6.0.12.9 to 6.0.12.10. ([\matrix-org#15683](matrix-org#15683))
* Bump types-requests from 2.30.0.0 to 2.31.0.0. ([\matrix-org#15684](matrix-org#15684))
* Bump types-setuptools from 67.7.0.2 to 67.8.0.0. ([\matrix-org#15639](matrix-org#15639))
  • Loading branch information
yingziwu committed Jun 6, 2023
2 parents 913b4f9 + ec71214 commit 05c8839
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 1 deletion.
21 changes: 21 additions & 0 deletions CHANGES.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,24 @@
Synapse 1.85.0 (2023-06-06)
===========================

No significant changes since 1.85.0rc2.


## Security advisory

The following issues are fixed in 1.85.0 (and RCs).

- [GHSA-26c5-ppr8-f33p](https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p) / [CVE-2023-32682](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32683) — Low Severity

It may be possible for a deactivated user to login when using uncommon configurations.

- [GHSA-98px-6486-j7qc](https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc) / [CVE-2023-32683](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32683) — Low Severity

A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs).

See the advisories for more details. If you have any questions, email security@matrix.org.


Synapse 1.85.0rc2 (2023-06-01)
==============================

Expand Down
6 changes: 6 additions & 0 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
matrix-synapse-py3 (1.85.0) stable; urgency=medium

* New Synapse release 1.85.0.

-- Synapse Packaging team <packages@matrix.org> Tue, 06 Jun 2023 09:39:29 +0100

matrix-synapse-py3 (1.85.0~rc2) stable; urgency=medium

* New Synapse release 1.85.0rc2.
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ manifest-path = "rust/Cargo.toml"

[tool.poetry]
name = "matrix-synapse"
version = "1.85.0rc2"
version = "1.85.0"
description = "Homeserver for the Matrix decentralised comms protocol"
authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
license = "Apache-2.0"
Expand Down

0 comments on commit 05c8839

Please sign in to comment.