./chat/matrix-synapse, Reference homeserver for the Matrix decentralised comms protocol

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.124.0, Package name: matrix-synapse-1.124.0, Maintainer: js

Synapse is a reference "homeserver" implementation of Matrix from the core
development team at matrix.org, written in Python/Twisted. It is intended to
showcase the concept of Matrix and let folks see the spec in the context of a
codebase and let you run your own homeserver and generally help bootstrap the
ecosystem.

Master sites:

Filesize: 8659.052 KB

Version history: (Expand)

CVS history: (Expand)


   2025-02-18 16:32:11 by Thomas Klausner | Files touched by this commit (8) 
Log message:
*: switch py-bcrypt users to versioned_dependencies.mk, bump PKGREVISION
   2025-02-15 16:34:05 by Greg Troxel | Files touched by this commit (4) 
Log message:
chat/matrix-synapse: Update to 1.124.0

Upstream NEWS contents:

* 1.124.0

  [bugfixes]

* Synapse 1.123.0 (2025-01-28)

Features

    Implement MSC4133 for custom profile fields. Contributed by @clokep. (#17488)
    Add a query parameter type to the Room State Admin API that filters the \ 
state event. (#18035)
    Support the new /auth_metadata endpoint defined in MSC2965. (#18093)

* Synapse 1.122.0rc1 (2025-01-07)

Deprecations and Removals

    Remove support for PostgreSQL 11 and 12. Contributed by @clokep. (#18034)

Features

    Added the email.tlsname config option. This allows specifying the domain \ 
name used to validate the SMTP server's TLS certificate separately from the \ 
email.smtp_host to connect to. (#17849)
    Module developers will have access to the user ID of the requester when \ 
adding check_username_for_spam callbacks to spam_checker_module_callbacks. \ 
Contributed by Wilson@Pangea.chat. (#17916)
    Add endpoints to the Admin API to fetch the number of invites the provided \ 
user has sent after a given timestamp,
    fetch the number of rooms the provided user has joined after a given \ 
timestamp, and get report IDs of event
    reports against a provided user (i.e. where the user was the sender of the \ 
reported event). (#17948)
    Support stable account suspension from MSC3823. (#17964)
    Add macaroon_secret_key_path config option. (#17983)

* Synapse 1.121.0 (2024-12-11)

Features

    Support for MSC4190: device management for Application Services. (#17705)
    Update MSC4186 Sliding Sync to include invite, ban, kick, targets when \ 
$LAZY-loading room members. (#17947)
    Use stable M_USER_LOCKED error code for locked accounts, as per Matrix 1.12. \ 
(#17965)
    MSC4076: Add disable_badge_count to pusher configuration. (#17975)
   2024-12-04 16:43:59 by Greg Troxel | Files touched by this commit (2) | Package updated
Log message:
chat/matrix-synapse: Update to 1.120.2

This is a security patch release.

This patch release fixes multiple security vulnerabilities, some affecting all \ 
prior versions of Synapse. Server administrators are encouraged to update \ 
Synapse as soon as possible. We are not aware of these vulnerabilities being \ 
exploited in the wild.

Administrators who are unable to update Synapse may use the workarounds \ 
described in the linked GitHub Security Advisory below.
Security advisory

The following issues are fixed in 1.120.1.

    GHSA-rfq8-j7rh-8hf2 / CVE-2024-52805 (high): Unsupported content types can \ 
lead to memory exhaustion

    Synapse instances which have a high max_upload_size and which don't have a \ 
reverse proxy in front of them that would otherwise limit upload size are \ 
affected.

    Fixed by 4b7154c58501b4bf5e1c2d6c11ebef96529f2fdf.

    GHSA-f3r3-h2mq-hx2h / CVE-2024-52815 (high): Malicious invites via \ 
federation can break a user's sync

    Fixed by d82e1ed357b7ee21dff83d06cba7a67840cfd464.

    GHSA-vp6v-whfm-rv3g / CVE-2024-53863 (high): Synapse can be forced to \ 
thumbnail unexpected file formats, invoking potentially untrustworthy decoders

    Synapse instances can disable dynamic thumbnailing by setting \ 
dynamic_thumbnails to false in the configuration file.

    Fixed by b64a4e5fbbbf119b6c65aedf0d999b4237d55503.

    GHSA-56w4-5538-8v8h / CVE-2024-53867 (moderate): The Sliding Sync feature on \ 
Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state \ 
changes to users no longer in a room

    Non-state events, like messages, are unaffected.

    Synapse instances can disable the Sliding Sync feature by setting \ 
experimental_features.msc3575_enabled to false in the configuration file.

    Fixed by 4daa533e82f345ce87b9495d31781af570ba3ead.

Additionally, we disclose the following vulnerabilities, both have been fixed in \ 
Synapse 1.106.0:

    GHSA-4mhg-xv73-xq2x / CVE-2024-37302 (high): Denial of service through media \ 
disk space consumption

    GHSA-gjgr-7834-rhxr / CVE-2024-37303 (moderate): Unauthenticated writes to \ 
the media repository allow planting of problematic content
   2024-11-26 18:42:37 by Greg Troxel | Files touched by this commit (5) | Package updated
Log message:
chat/matrix-synapse: Update to 1.20.0

Upstream NEWS:

Synapse 1.120.0 (2024-11-26)

This release enables the enforcement of authenticated media by default, with \ 
exemptions for media that is already present in the
homeserver's media store.

Most homeservers operating in the public federation will not be impacted by this \ 
change, given that
the large homeserver matrix.org enabled this in September 2024 and therefore \ 
most clients and servers
will already have updated as a result.

Some server administrators may still wish to disable this enforcement for the \ 
time being, in the interest of compatibility with older clients
and older federated homeservers.
See the upgrade notes for more information.

Synapse 1.119.0 (2024-11-13)

    Support MSC4151's stable report room API. (#17374)
    Add experimental support for MSC4222 (Adding state_after to sync v2). (#17888)

Synapse 1.118.0 (2024-10-29)

    Added the display_name_claim option to the JWT configuration. This option \ 
allows specifying the claim key that contains the user's display name in the JWT \ 
payload. (#17708)
    Implement MSC4210: Remove legacy mentions. Contributed by @tulir @ Beeper. \ 
(#17783)

Synapse 1.117.0 (2024-10-15)

    Add config option redis.password_path. (#17717)

Synapse 1.116.0 (2024-10-01)

    Add implementation of restricting who can overwrite a state event as \ 
proposed by MSC3757. (#17513)

Synapse 1.115.0 (2024-09-17)

    Improve cross-signing upload when using MSC3861 to use a custom UIA flow \ 
stage, with web fallback support. (#17509)
   2024-11-26 15:26:59 by Greg Troxel | Files touched by this commit (1) 
Log message:
chat/matrix-synapse: Move .orig remediation to post-install

After giving up on fighting poetry to make it not install .orig files
and thus put them in the wheel built during the build stage, change to
removing the .orig files in destdir after the install target.

No change to binary package, but now mkpatches should be ok even after
make package.
   2024-11-24 15:57:46 by Greg Troxel | Files touched by this commit (3) 
Log message:
chat/matrix-synapse: Add comments related to workaround

  - add upstream bugtracker URL for patch to avoid use of Twisted private API

  - expand comment about the build system bug of installing fooorig,
    and leave a note that it should be changed to happen later.
    However, with the target as pre-install, the orig files are
    mysteriously still installed.

NFCI; this is a comment-only change (plus distinfo for the new comments)
   2024-11-24 14:57:45 by Jonathan Schleifer | Files touched by this commit (3) 
Log message:
Fix chat/matrix-synapse with newer Twisted
   2024-10-14 08:46:10 by Thomas Klausner | Files touched by this commit (325) 
Log message:
*: clean-up after python38 removal