Synapse v1.12.1.rc1 Release Notes
Release Date: 2020-03-31 // about 4 years ago-
๐ Bugfixes
- ๐ Fix starting workers when federation sending not split out. (#7133). Introduced in v1.12.0.
- Avoid importing
sqlite3
when using the postgres backend. Contributed by David Vo. (#7155). Introduced in v1.12.0rc1. - ๐ Fix a bug which could cause outbound federation traffic to stop working if a client uploaded an incorrect e2e device signature. (#7177). Introduced in v1.11.0.
Synapse 1.12.0 (2020-03-23)
๐ณ Debian packages and Docker images are rebuilt using the latest versions of ๐ dependency libraries, including Twisted 20.3.0. Please see security advisory below.
โก๏ธ Potential slow database update during upgrade
โก๏ธ Synapse 1.12.0 includes a database update which is run as part of the upgrade, and which may take some time (several hours in the case of a large โก๏ธ server). Synapse will not respond to HTTP requests while this update is taking ๐ place. For imformation on seeing if you are affected, and workaround if you โฌ๏ธ are, see the [upgrade notes](docs/upgrade.md#upgrading-to-v1120).
๐ Security advisory
Synapse may be vulnerable to request-smuggling attacks when it is used with a ๐ reverse-proxy. The vulnerabilties are fixed in Twisted 20.3.0, and are described in CVE-2020-10108 and CVE-2020-10109. ๐ For a good introduction to this class of request-smuggling attacks, see https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn.
We are not aware of these vulnerabilities being exploited in the wild, and do not believe that they are exploitable with current versions of any reverse proxies. Nevertheless, we recommend that all Synapse administrators ensure that โ they have the latest versions of the Twisted library to ensure that their installation remains secure.
- ๐ณ Administrators using the
matrix.org
Docker image or the Debian/Ubuntu packages frommatrix.org
should ensure that they have version 1.12.0 installed: these images include Twisted 20.3.0. - Administrators who have installed Synapse from
source
should upgrade Twisted within their virtualenv by running:
sh <path_to_virtualenv>/bin/pip install 'Twisted>=20.3.0'
- ๐ฆ Administrators who have installed Synapse from distribution packages should consult the information from their distributions.
The
matrix.org
Synapse instance was not vulnerable to these vulnerabilities.0๏ธโฃ Advance notice of change to the default
git
branch for Synapse0๏ธโฃ Currently, the default
git
branch for Synapse ismaster
, which tracks the ๐ latest release.๐ After the release of Synapse 1.13.0, we intend to change this default to
develop
, which is the development tip. This is more consistent with common practice and moderngit
usage.Although we try to keep
develop
in a stable state, there may be occasions where regressions creep in. Developers and distributors who have scripts which ๐ run builds using the default branch ofSynapse
should therefore consider ๐ pinning their scripts tomaster
.