Synapse v1.42.0.rc1 Release Notes
Release Date: 2021-09-01 // over 2 years ago-
๐ Features
- โ Add support for MSC3231: Token authenticated registration. Users can be required to submit a token during registration to authenticate themselves. Contributed by Callum Brown. (#10142)
- Add support for MSC3283: Expose
enable_set_displayname
in capabilities. (#10452) - Port the
PresenceRouter
module interface to the new generic interface. (#10524) - โ Add pagination to the spaces summary based on updates to MSC2946. (#10613, #10725)
๐ Bugfixes
- Validate new
m.room.power_levels
events. Contributed by @aaronraimist. (#10232) - Display an error on User-Interactive Authentication fallback pages when authentication fails. Contributed by Callum Brown. (#10561)
- โ Remove pushers when deleting an e-mail address from an account. Pushers for old unlinked emails will also be deleted. (#10581, #10734)
- Reject Client-Server
/keys/query
requests which providedevice_ids
incorrectly. (#10593) - ๐ Rooms with unsupported room versions are no longer returned via
/sync
. (#10644) - Enforce the maximum length for per-room display names and avatar URLs. (#10654)
- ๐ Fix a bug which caused the
synapse_user_logins_total
Prometheus metric not to be correctly initialised on restart. (#10677) - ๐ Improve
ServerNoticeServlet
to avoid duplicate requests and add unit tests. (#10679) - ๐ Fix long-standing issue which caused an error when a thumbnail is requested and there are multiple thumbnails with the same quality rating. (#10684)
- ๐ Fix a regression introduced in v1.41.0 which affected the performance of concurrent fetches of large sets of events, in extreme cases causing the process to hang. (#10703)
- ๐ Fix a regression introduced in Synapse 1.41 which broke email transmission on Systems using older versions of the Twisted library. (#10713)
๐ Improved Documentation
- โ Add documentation on how to connect Django with Synapse using OpenID Connect and django-oauth-toolkit. Contributed by @HugoDelval. (#10192)
- ๐ Advertise https://matrix-org.github.io/synapse documentation in the
README
andCONTRIBUTING
files. (#10595) - ๐ Fix some of the titles not rendering in the OpenID Connect documentation. (#10639)
- ๐ Minor clarifications to the documentation for reverse proxies. (#10708)
- โ Remove table of contents from the top of installation and contributing documentation pages. (#10711)
๐ Deprecations and Removals
- โ Remove deprecated Shutdown Room and Purge Room Admin API. (#8830)
Internal Changes
- ๐ Improve type hints for the proxy agent and SRV resolver modules. Contributed by @dklimpel. (#10608)
- Clean up some of the federation event authentication code for clarity. (#10614, #10615, #10624, #10640)
- โ Add a comment asking developers to leave a reason when bumping the database schema version. (#10621)
- โ Remove not needed database updates in modify user admin API. (#10627)
- Convert room member storage tuples to
attrs
classes. (#10629, #10642) - ๐ Use auto-attribs for the attrs classes used in sync. (#10630)
- Make
backfill
andget_missing_events
use the same codepath. (#10645) - ๐ Improve the performance of the
/hierarchy
API (from MSC2946) by caching responses received over federation. (#10647) - ๐ Run a nightly CI build against Twisted trunk. (#10651, #10672)
- ๐จ Do not print out stack traces for network errors when fetching data over federation. (#10662)
- โ Simplify tests for device admin rest API. (#10664)
- โ Add missing type hints to REST servlets. (#10665, #10666, #10674)
- ๐ฆ Flatten the
tests.synapse.rests
package by moving the contents ofv1
andv2_alpha
into the parent. (#10667) - โก๏ธ Update
complement.sh
to rebuild the base Docker image when run with workers. (#10686) - Split the event-processing methods in
FederationHandler
into a separateFederationEventHandler
. (#10692) - โ Remove unused
compare_digest
function. (#10706)
Synapse 1.41.1 (2021-08-31)
โก๏ธ Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.
๐ Security advisory
๐ The following issues are fixed in v1.41.1.
- ๐ GHSA-3x4c-pq33-4w3q / CVE-2021-39164: Enumerating a private room's list of members and their display names.
If an unauthorized user both knows the Room ID of a private room and that room's history visibility is set to
shared
, then they may be able to enumerate the room's members, including their display names.The unauthorized user must be on the same homeserver as a user who is a member of the target room.
Fixed by 52c7a51cf.
- ๐ GHSA-jj53-8fmw-f2w2 / CVE-2021-39163: Disclosing a private room's name, avatar, topic, and number of members.
If an unauthorized user knows the Room ID of a private room, then its name, avatar, topic, and number of members may be disclosed through Group / Community features.
The unauthorized user must be on the same homeserver as a user who is a member of the target room, and their homeserver must allow non-administrators to create groups (
enable_group_creation
in the Synapse configuration; off by default).Fixed by cb35df940a, #10723.
๐ Bugfixes
- ๐ Fix a regression introduced in Synapse 1.41 which broke email transmission on systems using older versions of the Twisted library. (#10713)
Synapse 1.41.0 (2021-08-24)
โ This release adds support for Debian 12 (Bookworm), but removes support for Ubuntu 20.10 (Groovy Gorilla), which reached End of Life last month.
โฌ๏ธ Note that when using workers the
/_synapse/admin/v1/users/{userId}/media
must now be handled by media workers. See the upgrade notes for more information.๐ Features