963ee433ad
* Convert checkboxes to questions Signed-off-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> * document internal links Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * document blog taxonomies Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * update PR bot CI from https://github.com/HarHarLinks/pr-template-autoclose Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix heading depth (MD001 MD003) Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix code blocks Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix spaces in link text (MD039) Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix no newline at end of file (MD047) Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix bare URLs without angle backets (MD034) Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * remove redundant attribute Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * linter exception Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * lint links and headings with rumdl instead of checklist Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * convert signoff checklist to heading Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * configure linter to .rumdl.toml explicitly Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * bump rumdl action Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * Shorten comments in the template Co-authored-by: Thibault Martin <thibaultamartin@users.noreply.github.com> Signed-off-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> * Remove rumdl default config example comments Co-authored-by: Thibault Martin <thibaultamartin@users.noreply.github.com> Signed-off-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> * explain more about the pr-bot Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * pin rumdl action to v0 Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix unlinked email address in coc Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> --------- Signed-off-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> Co-authored-by: Thibault Martin <thibaultamartin@users.noreply.github.com>
2.4 KiB
+++ title = "Synapse 1.15.2 released with security fixes" date = "2020-07-02T17:58:57Z" path = "/blog/2020/07/02/synapse-1-15-2-released-with-security-fixes"
[taxonomies] author = ["Richard van der Hoff"] category = ["Releases", "Security"] +++
Folks, today we are releasing Synapse 1.15.2, which is a security release which contains fixes to two separate problems. We are also putting out the second release candidate for the forthcoming Synapse 1.16, including the same fixes.
Firstly, we have fixed a bug in the implementation of the room state resolution algorithm which could cause users to be unexpectedly ejected from rooms (Synapse issue #7742).
Secondly, we have improved the security of pages served as part of the Single-Sign-on login flows to prevent clickjacking attacks. Thank you to Quentin Gliech for reporting this.
We are not aware of either of these vulnerabilities being exploited in the wild, but we recommend that administrators upgrade as soon as possible. Those on Synapse 1.15.1 or earlier should upgrade to Synapse 1.15.2, while those who have already upgraded to Synapse 1.16.0rc1 should upgrade to 1.16.0rc2.
Get the new releases from any of the usual sources mentioned at https://github.com/matrix-org/synapse/blob/master/INSTALL.md. 1.15.2 is on github here, and 1.16.0rc2 is here.
Changelog for 1.15.2 follows:
Synapse 1.15.2 (2020-07-02)
Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.
Security advisory
-
A malicious homeserver could force Synapse to reset the state in a room to a small subset of the correct state. This affects all Synapse deployments which federate with untrusted servers. (96e9afe6)
-
HTML pages served via Synapse were vulnerable to clickjacking attacks. This predominantly affects homeservers with single-sign-on enabled, but all server administrators are encouraged to upgrade. (ea26e9a9)
This was reported by Quentin Gliech.