ยซ Changelog History


Synapse v1.12.1.rc1 Release Notes

Release Date: 2020-03-31 // about 4 years ago

  • ๐Ÿ›  Bugfixes

    • ๐Ÿ›  Fix starting workers when federation sending not split out. (#7133). Introduced in v1.12.0.
    • Avoid importing sqlite3 when using the postgres backend. Contributed by David Vo. (#7155). Introduced in v1.12.0rc1.
    • ๐Ÿ›  Fix a bug which could cause outbound federation traffic to stop working if a client uploaded an incorrect e2e device signature. (#7177). Introduced in v1.11.0.

    Synapse 1.12.0 (2020-03-23)

    ๐Ÿณ Debian packages and Docker images are rebuilt using the latest versions of ๐Ÿ”’ dependency libraries, including Twisted 20.3.0. Please see security advisory below.

    โšก๏ธ Potential slow database update during upgrade

    โšก๏ธ Synapse 1.12.0 includes a database update which is run as part of the upgrade, and which may take some time (several hours in the case of a large โšก๏ธ server). Synapse will not respond to HTTP requests while this update is taking ๐Ÿ‘€ place. For imformation on seeing if you are affected, and workaround if you โฌ†๏ธ are, see the [upgrade notes](docs/upgrade.md#upgrading-to-v1120).

    ๐Ÿ”’ Security advisory

    Synapse may be vulnerable to request-smuggling attacks when it is used with a ๐Ÿ›  reverse-proxy. The vulnerabilties are fixed in Twisted 20.3.0, and are described in CVE-2020-10108 and CVE-2020-10109. ๐Ÿ‘€ For a good introduction to this class of request-smuggling attacks, see https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn.

    We are not aware of these vulnerabilities being exploited in the wild, and do not believe that they are exploitable with current versions of any reverse proxies. Nevertheless, we recommend that all Synapse administrators ensure that โœ… they have the latest versions of the Twisted library to ensure that their installation remains secure.

    • ๐Ÿณ Administrators using the matrix.org Docker image or the Debian/Ubuntu packages from matrix.org should ensure that they have version 1.12.0 installed: these images include Twisted 20.3.0.
    • Administrators who have installed Synapse from source should upgrade Twisted within their virtualenv by running: sh <path_to_virtualenv>/bin/pip install 'Twisted>=20.3.0'
    • ๐Ÿ“ฆ Administrators who have installed Synapse from distribution packages should consult the information from their distributions.

    The matrix.org Synapse instance was not vulnerable to these vulnerabilities.

    0๏ธโƒฃ Advance notice of change to the default git branch for Synapse

    0๏ธโƒฃ Currently, the default git branch for Synapse is master, which tracks the ๐Ÿš€ latest release.

    ๐Ÿš€ After the release of Synapse 1.13.0, we intend to change this default to develop, which is the development tip. This is more consistent with common practice and modern git usage.

    Although we try to keep develop in a stable state, there may be occasions where regressions creep in. Developers and distributors who have scripts which ๐Ÿ— run builds using the default branch of Synapse should therefore consider ๐Ÿ“Œ pinning their scripts to master.