chore(deps): update matrixdotorg/synapse docker tag to v1.120.2 #50
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.120.0->v1.120.2Release Notes
element-hq/synapse (matrixdotorg/synapse)
v1.120.2Compare Source
Synapse 1.120.2 (2024-12-03)
This version has building of wheels for macOS disabled.
It is functionally identical to 1.120.1, which contains multiple security fixes.
If you are already using 1.120.1, there is no need to upgrade to this version.
Synapse 1.120.1 (2024-12-03)
This patch release fixes multiple security vulnerabilities, some affecting all prior versions of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild.
Administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below.
Security advisory
The following issues are fixed in 1.120.1.
GHSA-rfq8-j7rh-8hf2 / CVE-2024-52805 (high): Unsupported content types can lead to memory exhaustion
Synapse instances which have a high
max_upload_sizeand which don't have a reverse proxy in front of them that would otherwise limit upload size are affected.Fixed by 4b7154c58501b4bf5e1c2d6c11ebef96529f2fdf.
GHSA-f3r3-h2mq-hx2h / CVE-2024-52815 (high): Malicious invites via federation can break a user's sync
Fixed by d82e1ed357b7ee21dff83d06cba7a67840cfd464.
GHSA-vp6v-whfm-rv3g / CVE-2024-53863 (high): Synapse can be forced to thumbnail unexpected file formats, invoking potentially untrustworthy decoders
Synapse instances can disable dynamic thumbnailing by setting
dynamic_thumbnailstofalsein the configuration file.Fixed by b64a4e5fbbbf119b6c65aedf0d999b4237d55503.
GHSA-56w4-5538-8v8h / CVE-2024-53867 (moderate): The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room
Non-state events, like messages, are unaffected.
Synapse instances can disable the Sliding Sync feature by setting
experimental_features.msc3575_enabledtofalsein the configuration file.Fixed by 4daa533e82f345ce87b9495d31781af570ba3ead.
Additionally, we disclose the following vulnerabilities, both have been fixed in Synapse 1.106.0:
GHSA-4mhg-xv73-xq2x / CVE-2024-37302 (high): Denial of service through media disk space consumption
GHSA-gjgr-7834-rhxr / CVE-2024-37303 (moderate): Unauthenticated writes to the media repository allow planting of problematic content
See the advisories for more details. If you have any questions, email security at element.io.
Bug fixes
v1.120.1Compare Source
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.