mirror of
https://mau.dev/maunium/synapse.git
synced 2024-12-15 06:13:52 +01:00
1.12.0 changelog
This commit is contained in:
parent
2fa55c0cc6
commit
a438950a00
1 changed files with 53 additions and 1 deletions
54
CHANGES.md
54
CHANGES.md
|
@ -1,7 +1,59 @@
|
||||||
Synapse 1.12.0 (2020-03-23)
|
Synapse 1.12.0 (2020-03-23)
|
||||||
===========================
|
===========================
|
||||||
|
|
||||||
No significant changes.
|
No significant changes since 1.12.0rc1.
|
||||||
|
|
||||||
|
Debian packages and Docker images are rebuilt using the letest versions of
|
||||||
|
dependency libraries, including Twisted 20.3.0. **Please see security advisory
|
||||||
|
below**.
|
||||||
|
|
||||||
|
Security advisory
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
Synapse may be vulnerable to request-smuggling attacks when it is used with a
|
||||||
|
reverse-proxy. The vulnerabilties are fixed in Twisted 20.3.0, and are
|
||||||
|
described in
|
||||||
|
[CVE-2020-10108](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10108)
|
||||||
|
and
|
||||||
|
[CVE-2020-10109](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10109).
|
||||||
|
For a good introduction to this class of request-smuggling attacks, see
|
||||||
|
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn.
|
||||||
|
|
||||||
|
We are not aware of these vulnerabilities being exploited in the world, and
|
||||||
|
do not believe that they are exploitable with current versions of any reverse
|
||||||
|
proxies. Nevertheless, we recommend that all Synapse administrators ensure that
|
||||||
|
they have the latest versions of the Twisted library to ensure that their
|
||||||
|
installation remains secore.
|
||||||
|
|
||||||
|
* Administrators using the [`matrix.org` Docker
|
||||||
|
image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu
|
||||||
|
packages from
|
||||||
|
`matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages)
|
||||||
|
should ensure that they have version 1.12.0 installed: these images include
|
||||||
|
Twisted 20.3.0.
|
||||||
|
* Administrators who have [installed Synapse from
|
||||||
|
source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source)
|
||||||
|
should upgrade Twisted within their virtualenv by running:
|
||||||
|
```sh
|
||||||
|
<path_to_virtualenv>/bin/pip install 'Twisted>=20.3.0'
|
||||||
|
```
|
||||||
|
* Administrators who have installed Synapse from distribution packages should
|
||||||
|
consult the information from their distributions.
|
||||||
|
|
||||||
|
Advance notice of change to the default `git` branch for Synapse
|
||||||
|
----------------------------------------------------------------
|
||||||
|
|
||||||
|
Currently, the default `git` branch for Synapse is `master`, which tracks the
|
||||||
|
latest release.
|
||||||
|
|
||||||
|
After the release of Synapse 1.13.0, we intend to change this default to
|
||||||
|
`develop`, which is the development tip. This is more consistent with common
|
||||||
|
practice and modern `git` usage.
|
||||||
|
|
||||||
|
Although we try to keep `develop` in a stable state, there may be occasions
|
||||||
|
where regressions keep in. Developers and distributors who have scripts which
|
||||||
|
run builds using the default branch of `Synapse` should therefore consider
|
||||||
|
pinning their scripts to `master`.
|
||||||
|
|
||||||
|
|
||||||
Synapse 1.12.0rc1 (2020-03-19)
|
Synapse 1.12.0rc1 (2020-03-19)
|
||||||
|
|
Loading…
Reference in a new issue