Matrix logo

Releases

142 posts tagged with "Releases" (See all Category)

Atom Feed

Synapse 1.69 released

17.10.2022 18:52 — Releases Brendan Abolivier
Last update: 17.10.2022 18:07

Hey everyone, it's time for a new Synapse release! Synapse 1.69 is out, fresh out of the oven. But before we take a look at it, here's a quick announcement:

We have recently disclosed a moderate severity security vulnerability, which was fixed in Synapse 1.62 (released on July 5th 2022). This issue affects all homeservers running a version of Synapse older than 1.62 with open federation. If this is the case for your deployment, please update to a more recent version of Synapse at your earliest convenience.

See advisory GHSA-jhjh-776m-4765 and CVE-2022-31152 for more information.

Now let's see what's new in Synapse 1.69!

Continue reading…

Security release of matrix-appservice-irc 0.35.0 (High severity)

13.09.2022 16:56 — Releases Denis Kasak (dkasak)

We've released a new version of matrix.org's node-irc 1.3.0 and matrix-appservice-irc 0.35.0, to patch several security issues:

The details of the final vulnerability will be released at a later date, pending an audit of the codebase to ensure it's not affected by other similar vulnerabilities.

The vulnerabilities have been patched in node-irc version 1.3.0 and matrix-appservice-irc 0.35.0. You can get the release on Github.

The bridges running on the Libera Chat, OFTC and other networks bridged by the Matrix.org Foundation have been patched.

Please upgrade your IRC bridge as soon as possible.

The above vulnerabilities were reported by Val Lorentz. Thank you!

Security releases: matrix-js-sdk 19.4.0 and matrix-react-sdk 3.53.0

31.08.2022 18:13 — Releases Denis Kasak (dkasak)

Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk to patch a couple of High severity vulnerabilities (reserved as CVE-2022-36059 for the matrix-js-sdk and CVE-2022-36060 for the matrix-react-sdk).

Affected clients include those which depend on the affected libraries, such as Element Web/Desktop and Cinny. Releases of the affected clients will follow shortly. We advise users of those clients to upgrade at their earliest convenience.

The vulnerabilities give an adversary who you share a room with the ability to carry out a denial-of-service attack against the affected clients, making it not show all of a user's rooms or spaces and/or causing minor temporary corruption.

The full vulnerability details will be disclosed at a later date, to give people time to upgrade and us to perform a more thorough audit of the codebase.

Note that while the vulnerability was to our knowledge never exploited maliciously, some unintentional public testing has left some people affected by the bug. We made a best effort to sanitize this to stop the breakage. If you are affected, you may still need to clear the cache and reload your Matrix client for it to take effect.

We thank Val Lorentz who discovered and reported the vulnerability over the weekend.

Synapse 1.65 released

17.08.2022 15:44 — Releases Brendan Abolivier
Last update: 17.08.2022 15:25

Hey everyone! We've just released Synapse 1.65! Let's have a peek at what's inside.

Private read receipts

A feature that the more privacy-focused users of Matrix have been missing was the ability to hide read receipts from other users. Read receipts in rooms can tell a user which messages another user has read in a room. However, they can also be an unwelcome indicator that a user is currently reading a certain room, thus giving away the user's activity on Matrix at a given time.

Hiding one's read receipts from other Matrix users is unfortunately not as straightforward as simply preventing a client from sharing read receipts with the server. This is because read receipts are also used by Matrix homeservers to calculate how much of a room a user has read, and generate notification counts for rooms accordingly.

Synapse 1.65 introduces stable support for private read receipts. This feature, described by MSC2285, allows clients to send a different type of read receipt to the server. This then tells the homeserver to use this piece of information to update the user's notification counts, but not to share it with other users.

Improved room management APIs for modules

This version of Synapse includes two new module API methods to help Synapse modules interact and manage rooms. The first one, lookup_room_alias, allows modules to retrieve the room ID corresponding to a given room alias. This works both for local and remote aliases. The second one, create_room, allows modules to create new rooms on behalf of an existing user.

The update_room_membership method has also been updated in this release of Synapse to allow modules to join a room the server is not already in via federation. This can be done by using the new remote_room_hosts argument, which takes a list of homeservers to try to join via.

Everything else

Synapse 1.65 stabilises the implementation of MSC3827, which allows filtering public room searches on room types. This means it is now possible to search specifically for public spaces. For more information on this feature, see the Synapse 1.63 announcement.

Additionally, Synapse 1.65 implements the new experimental error codes documented by MSC3848. Once stabilised, these error codes will allow clients to show more specific errors to their users about why an event could not be sent.

See the full changelog for a complete list of changes in this release.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including (in no particular order) Beeper, andrewdoh, Julian-Samuel Gebühr and Dirk Klimpel, as well as anyone helping us make Synapse better by sharing their feedback and reporting issues.

Synapse 1.64 released

03.08.2022 00:00 — Releases Brendan Abolivier

It's that time again: there's a new Synapse release, fresh out of the oven! Let's take a look at what's inside Synapse 1.64.

Delegating email verification is now deprecated

Synapse 1.4.0 introduced a configuration option (account_threepid_delegates.email) to allow homeservers to delegate validating the ownership of email addresses to an external identity server. This validation is used by Synapse when adding an email address to a Matrix account, or before performing a password reset.

As of Synapse 1.64, this option is deprecated, and Synapse will print a warning if it is used. This is because this option relies on old API endpoints that have since been removed from the Matrix specification.

Synapse can do this validation internally provided it is configured with details of an SMTP server. Administrators currently relying on account_threepid_delegates.email should therefore ensure that an SMTP server is correctly configured, and remove the account_threepid_delegates.email option. See the configuration guide for more information.

We plan to fully remove this configuration option in Synapse 1.66, which is expected to be released on August 30th.

Note that the equivalent option to validate the ownership of phone numbers (account_threepid_delegates.msisdn) can still be used, though we expect to deprecate it in a future release of Synapse.

Improved TLS support for sending emails

When configuring an SMTP server to use to send out emails to users, server administrators can configure Synapse to use TLS to communicate to that server. Until now, only STARTTLS was supported in this case.

Synapse 1.64 introduces a new force_tls configuration option in the email section of the configuration file. If this new setting is set to true Synapse will use TLS for the initial connection rather than upgrading via STARTTLS.

See the configuration guide for more information.

Memory leak in frozendict

A couple of weeks ago, we identified a memory leak within frozendict, which is a library that Synapse relies on. This would in turn cause Synapse instances to slowly leak memory when processing /sync requests.

We highly encourage server administrators who installed Synapse via pip to upgrade their local version of frozendict to version 2.3.3 or later, which includes a fix to this issue. The Docker image matrixdotorg/synapse and the Debian packages from packages.matrix.org already include the updated library.

Everything else

This version of Synapse introduces support for room version 10! This new room version enables support for the new knock_restricted join rule, to allow knocking into rooms which are otherwise restricted to members of a specific room (or space). See the Matrix specification about room version 10 for more information.

Additionally, Synapse 1.64 features a new rate limiter to limit the rate of joins to the same room. It is intended as a mitigation against abuse scenarios involving joining a lot of users from different homeservers to a room to then send spam across it. See the configuration guide for more information.

This release of Synapse also extends the List Rooms and Room Details admin APIs to include the type of a room in responses, allowing server administrators to differentiate spaces from other rooms.

See the full changelog for a complete list of changes in this release. Also please have a look at the upgrade notes for this version.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including (in no particular order) Beeper, andrewdoh, Thomas Weston, jejo86, villepeh, Jörg Behrmann and Jacek Kuśnierz, as well as anyone helping us make Synapse better by sharing their feedback and reporting issues.