chore(deps): update matrixdotorg/synapse docker tag to v1.120.2 #73

Merged

finn merged 1 commit from renovate/matrixdotorg-synapse-1.x into main 2024-12-03 17:33:28 +00:00

Conversation 0 Commits 1 Files changed 2 +2 -2

renovatebot commented 2024-12-03 16:02:33 +00:00

Member

Copy link

This PR contains the following updates:

Package	Type	Update	Change
matrixdotorg/synapse (source)		patch	v1.120.0 -> v1.120.2
matrixdotorg/synapse (source)	final	patch	v1.120.0 -> v1.120.2

---

Release Notes

element-hq/synapse (matrixdotorg/synapse)

v1.120.2

Compare Source

Synapse 1.120.2 (2024-12-03)

This version has building of wheels for macOS disabled.
It is functionally identical to 1.120.1, which contains multiple security fixes.
If you are already using 1.120.1, there is no need to upgrade to this version.

Synapse 1.120.1 (2024-12-03)

This patch release fixes multiple security vulnerabilities, some affecting all prior versions of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild.

Administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below.

Security advisory

The following issues are fixed in 1.120.1.

• GHSA-rfq8-j7rh-8hf2 / CVE-2024-52805 (high): Unsupported content types can lead to memory exhaustion

  Synapse instances which have a high max_upload_size and which don't have a reverse proxy in front of them that would otherwise limit upload size are affected.

  Fixed by 4b7154c58501b4bf5e1c2d6c11ebef96529f2fdf.

• GHSA-f3r3-h2mq-hx2h / CVE-2024-52815 (high): Malicious invites via federation can break a user's sync

  Fixed by d82e1ed357b7ee21dff83d06cba7a67840cfd464.

• GHSA-vp6v-whfm-rv3g / CVE-2024-53863 (high): Synapse can be forced to thumbnail unexpected file formats, invoking potentially untrustworthy decoders

  Synapse instances can disable dynamic thumbnailing by setting dynamic_thumbnails to false in the configuration file.

  Fixed by b64a4e5fbbbf119b6c65aedf0d999b4237d55503.

• GHSA-56w4-5538-8v8h / CVE-2024-53867 (moderate): The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room

  Non-state events, like messages, are unaffected.

  Synapse instances can disable the Sliding Sync feature by setting experimental_features.msc3575_enabled to false in the configuration file.

  Fixed by 4daa533e82f345ce87b9495d31781af570ba3ead.

Additionally, we disclose the following vulnerabilities, both have been fixed in Synapse 1.106.0:

• GHSA-4mhg-xv73-xq2x / CVE-2024-37302 (high): Denial of service through media disk space consumption

• GHSA-gjgr-7834-rhxr / CVE-2024-37303 (moderate): Unauthenticated writes to the media repository allow planting of problematic content

See the advisories for more details. If you have any questions, email security at element.io.

Bug fixes

• Fix release process to not create duplicate releases. (#​17970)

v1.120.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [matrixdotorg/synapse](https://matrix.org/docs/projects/server/synapse) ([source](https://github.com/element-hq/synapse)) | | patch | `v1.120.0` -> `v1.120.2` | | [matrixdotorg/synapse](https://matrix.org/docs/projects/server/synapse) ([source](https://github.com/element-hq/synapse)) | final | patch | `v1.120.0` -> `v1.120.2` | --- ### Release Notes <details> <summary>element-hq/synapse (matrixdotorg/synapse)</summary> ### [`v1.120.2`](https://github.com/element-hq/synapse/releases/tag/v1.120.2) [Compare Source](https://github.com/element-hq/synapse/compare/v1.120.1...v1.120.2) ##### Synapse 1.120.2 (2024-12-03) This version has building of wheels for macOS disabled. It is functionally identical to 1.120.1, which contains **multiple security fixes**. If you are already using 1.120.1, there is no need to upgrade to this version. ##### Synapse 1.120.1 (2024-12-03) This patch release fixes multiple security vulnerabilities, some affecting all prior versions of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild. Administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below. ##### Security advisory The following issues are fixed in 1.120.1. - [GHSA-rfq8-j7rh-8hf2](https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2) / [CVE-2024-52805](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52805) (high): **Unsupported content types can lead to memory exhaustion** Synapse instances which have a high `max_upload_size` and which don't have a reverse proxy in front of them that would otherwise limit upload size are affected. Fixed by [4b7154c58501b4bf5e1c2d6c11ebef96529f2fdf](https://github.com/element-hq/synapse/commit/4b7154c58501b4bf5e1c2d6c11ebef96529f2fdf). - [GHSA-f3r3-h2mq-hx2h](https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h) / [CVE-2024-52815](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52815) (high): **Malicious invites via federation can break a user's sync** Fixed by [d82e1ed357b7ee21dff83d06cba7a67840cfd464](https://github.com/element-hq/synapse/commit/d82e1ed357b7ee21dff83d06cba7a67840cfd464). - [GHSA-vp6v-whfm-rv3g](https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g) / [CVE-2024-53863](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53863) (high): **Synapse can be forced to thumbnail unexpected file formats, invoking potentially untrustworthy decoders** Synapse instances can disable dynamic thumbnailing by setting `dynamic_thumbnails` to `false` in the configuration file. Fixed by [b64a4e5fbbbf119b6c65aedf0d999b4237d55503](https://github.com/element-hq/synapse/commit/b64a4e5fbbbf119b6c65aedf0d999b4237d55503). - [GHSA-56w4-5538-8v8h](https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h) / [CVE-2024-53867](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53867) (moderate): **The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room** Non-state events, like messages, are unaffected. Synapse instances can disable the Sliding Sync feature by setting `experimental_features.msc3575_enabled` to `false` in the configuration file. Fixed by [4daa533e82f345ce87b9495d31781af570ba3ead](https://github.com/element-hq/synapse/commit/4daa533e82f345ce87b9495d31781af570ba3ead). Additionally, we disclose the following vulnerabilities, both have been fixed in Synapse 1.106.0: - [GHSA-4mhg-xv73-xq2x](https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x) / [CVE-2024-37302](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37302) (high): **Denial of service through media disk space consumption** - [GHSA-gjgr-7834-rhxr](https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr) / [CVE-2024-37303](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37303) (moderate): **Unauthenticated writes to the media repository allow planting of problematic content** See the advisories for more details. If you have any questions, email [security at element.io](mailto:security@element.io). ##### Bug fixes - Fix release process to not create duplicate releases. ([#&#8203;17970](https://github.com/element-hq/synapse/issues/17970)) ### [`v1.120.1`](https://github.com/element-hq/synapse/compare/v1.120.0...v1.120.1) [Compare Source](https://github.com/element-hq/synapse/compare/v1.120.0...v1.120.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4wLjAiLCJ1cGRhdGVkSW5WZXIiOiIzOS4wLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

renovatebot added 1 commit 2024-12-03 16:02:33 +00:00

chore(deps): update matrixdotorg/synapse docker tag to v1.120.1 2a98493b5f

renovatebot force-pushed renovate/matrixdotorg-synapse-1.x from 2a98493b5f to 8416518590 2024-12-03 17:02:00 +00:00 Compare

renovatebot changed title from chore(deps): update matrixdotorg/synapse docker tag to v1.120.1 to chore(deps): update matrixdotorg/synapse docker tag to v1.120.2 2024-12-03 17:02:10 +00:00

finn merged commit 8416518590 into main 2024-12-03 17:33:28 +00:00

finn deleted branch renovate/matrixdotorg-synapse-1.x 2024-12-03 17:33:28 +00:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: JankySolutions/infra#73

No description provided.