|
|
@@ -1,3 +1,20 @@ |
|
|
|
# Synapse 1.92.3 (2023-09-18) |
|
|
|
|
|
|
|
This is again an update targeted at mitigating [CVE-2023-4863](https://cve.org/CVERecord?id=CVE-2023-4863). |
|
|
|
It turns out that libwebp is bundled statically in Pillow wheels so we need to update this dependency instead of |
|
|
|
libwebp package at the OS level. |
|
|
|
|
|
|
|
Unlike what was advertised in 1.92.2 changelog this release also impacts PyPI wheels and Debian packages. |
|
|
|
|
|
|
|
|
|
|
|
### Internal Changes |
|
|
|
|
|
|
|
- Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels. ([\#16347](https://github.com/matrix-org/synapse/issues/16347)) |
|
|
|
|
|
|
|
### Updates to locked dependencies |
|
|
|
|
|
|
|
* Bump pillow from 10.0.0 to 10.0.1. ([\#16344](https://github.com/matrix-org/synapse/issues/16344)) |
|
|
|
|
|
|
|
# Synapse 1.92.2 (2023-09-15) |
|
|
|
|
|
|
|
This is a Docker-only update to mitigate [CVE-2023-4863](https://cve.org/CVERecord?id=CVE-2023-4863), a critical vulnerability in `libwebp`. Server admins not using Docker should ensure that their `libwebp` is up to date (if installed). We encourage admins to upgrade as soon as possible. |
|
|
|