|
|
@@ -1,3 +1,24 @@ |
|
|
|
Synapse 1.85.0 (2023-06-06) |
|
|
|
=========================== |
|
|
|
|
|
|
|
No significant changes since 1.85.0rc2. |
|
|
|
|
|
|
|
|
|
|
|
## Security advisory |
|
|
|
|
|
|
|
The following issues are fixed in 1.85.0. |
|
|
|
|
|
|
|
- [GHSA-26c5-ppr8-f33p](https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p) / [CVE-2023-32682](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32683) — Low Severity |
|
|
|
|
|
|
|
It may be possible for a deactivated user to login when using uncommon configurations. |
|
|
|
|
|
|
|
- [GHSA-98px-6486-j7qc](https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc) / [CVE-2023-32683](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32683) — Low Severity |
|
|
|
|
|
|
|
A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs). |
|
|
|
|
|
|
|
See the advisories for more details. If you have any questions, email security@matrix.org. |
|
|
|
|
|
|
|
|
|
|
|
Synapse 1.85.0rc2 (2023-06-01) |
|
|
|
============================== |
|
|
|
|
|
|
|