Today we release Synapse 1.2.1 as a critical security update. It contains patches relating to redactions and event federation. The patches address long standing bugs, and are not regressions specific to the previous version (1.2). All admins, regardless of current version, should upgrade asap.
This release includes four security fixes:
- Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms. (#5767)
- Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely. Thanks to @lrizika:matrix.orgfor identifying and responsibly disclosing this issue. (0f2ecb961)
- Prevent an attack where users could be joined or parted from public rooms without their consent. Thanks to Dylanger for identifying and responsibly disclosing this issue. (#5744)
- Fix a vulnerability where a federated server could spoof read-receipts from users on other servers. Thanks to Dylanger for identifying this issue too. (#5743)
Additionally, the following fix was in Synapse 1.2.0, but was not correctly identified during the original release:
- It was possible for a room moderator to send a redaction for an m.room.createevent, which would downgrade the room to version 1. Thanks to@/dev/ponies:ponies.imfor identifying and responsibly disclosing this issue! (#5701)
You can get the new update here or any of the sources mentioned at https://github.com/matrix-org/synapse. Alternatively check out our Synapse installation guide page
Thanks for bearing with us.
The Foundation needs you
The Matrix.org Foundation is a non-profit and only relies on donations to operate. Its core mission is to maintain the Matrix Specification, but it does much more than that.
It maintains the matrix.org homeserver and hosts several bridges for free. It fights for our collective rights to digital privacy and dignity.
Support us