Log Message:
chat/matrix-synapse: Update to 1.95.0

Upstream NEWS content less bugfixes, minor improvements, improved
documentation, etc.

1.95.0:

  none

1.94.0:

* Security

  The following issue is fixed in 1.94.0 (and RC).

    GHSA-5chr-wjw5-3gq4 / CVE-2023-45129 — Moderate Severity

    A malicious server ACL event can impact performance temporarily or \ 
permanently leading to a persistent denial of service.

    Homeservers running on a closed federation (which presumably do not need to \ 
use server ACLs) are not affected.

* Features

    Render plain, CSS, CSV, JSON and common image formats in the browser \ 
(inline) when requested through the /download endpoint. (#15988)
    Add experimental support for MSC4028 to push all encrypted events to \ 
clients. (#16361)
    Minor performance improvement when sending presence to federated servers. \ 
(#16385)
    Minor performance improvement by caching server ACL checking. (#16360)

1.93.0:

* Security

  The following issues are fixed in 1.93.0 (and RCs).

    GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity

    Temporary storage of plaintext passwords during password changes.

    GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity

    Improper validation of receipts allows forged read receipts.

* Features

    Add automatic purge after all users have forgotten a room. (#15488)
    Restore room purge/shutdown after a Synapse restart. (#15488)
    Support resolving homeservers using matrix-fed DNS SRV records from MSC4040. \ 
(#16137)
    Add the ability to use G (GiB) and T (TiB) suffixes in configuration options \ 
that refer to numbers of bytes. (#16219)
    Add span information to requests sent to appservices. Contributed by \ 
MTRNord. (#16227)
    Add the ability to enable/disable registrations when using CAS. Contributed \ 
by Aurélien Grimpard. (#16262)
    Allow the /notifications endpoint to be routed to workers. (#16265)
    Enable users to easily unsubscribe to notifications emails via the \ 
List-Unsubscribe header. (#16274)
    Report whether a user is locked in the List Accounts admin API, and exclude \ 
locked users by default. (#16328)

1.92.x:

* Security

    Pillow requirement in 10.0.1, not because it's actually required,
    but because other packaging systems don't handle updates correctly
    (libwebp).

1.91.x:

    Revert MSC3861 introspection cache, admin impersonation and
    account lock. (Labeled bugfix, but written in a way that makes it
    seem far more important.

* Features

    Add configuration setting for CAS protocol version. Contributed by Aurélien \ 
Grimpard. (#15816)
    Suppress notifications from message edits per MSC3958. (#16113)
    Return a Retry-After with M_LIMIT_EXCEEDED error responses. (#16136)
    Add last_seen_ts to the admin users API. (#16218)
    Improve resource usage when sending data to a large number of remote hosts \ 
that are marked as "down". (#16223)