963ee433ad
* Convert checkboxes to questions Signed-off-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> * document internal links Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * document blog taxonomies Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * update PR bot CI from https://github.com/HarHarLinks/pr-template-autoclose Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix heading depth (MD001 MD003) Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix code blocks Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix spaces in link text (MD039) Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix no newline at end of file (MD047) Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix bare URLs without angle backets (MD034) Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * remove redundant attribute Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * linter exception Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * lint links and headings with rumdl instead of checklist Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * convert signoff checklist to heading Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * configure linter to .rumdl.toml explicitly Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * bump rumdl action Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * Shorten comments in the template Co-authored-by: Thibault Martin <thibaultamartin@users.noreply.github.com> Signed-off-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> * Remove rumdl default config example comments Co-authored-by: Thibault Martin <thibaultamartin@users.noreply.github.com> Signed-off-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> * explain more about the pr-bot Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * pin rumdl action to v0 Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix unlinked email address in coc Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> --------- Signed-off-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> Co-authored-by: Thibault Martin <thibaultamartin@users.noreply.github.com>
2.2 KiB
+++ title = "Critical Security Update: Synapse 0.34.0.1/Synapse 0.34.1.1" path = "/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1"
[taxonomies] author = ["Neil Johnson"] category = ["Security", "Releases"] +++
After releasing Synapse v0.34.1, we have become aware of a security vulnerability affecting all previous versions (CVE-2019-5885). v0.34.1 closed the vulnerability but, in some cases, caused users to be logged out of their clients, so we do not recommend v0.34.1 for production use.
Today we release two mitigating versions v0.34.0.1 and v0.34.1.1. Both versions close the vulnerability and will not cause users to be logged out. All installations should be upgraded to one or other immediately.
- Admins who would otherwise upgrade to v0.34.1 (or those that have already done so) should upgrade to v0.34.1.1.
- Admins on v0.34.0, who do not wish to bring in new non-security related behaviour, should upgrade to v0.34.0.1.
You can get the new updates for v0.34.0.1 and v0.34.1.1 here or any of the sources mentioned at https://github.com/matrix-org/synapse. Note, Synapse is now available from PyPI, pick it up here. See also our Synapse installation guide page.
We will publish more details of the vulnerability once admins have had a chance to upgrade. To our knowledge the vulnerability has not been exploited in the wild.
Many thanks for your patience, we are moving ever closer to Synapse reaching v1.0, and fixes like this one edge us ever closer.
Thanks also to the package maintainers who have coordinated with us to ensure distro packages are available for a speedy upgrade!