Skip to content
This repository has been archived by the owner on Apr 12, 2024. It is now read-only.

Merge Synapse v1.41.1 #102

Merged
merged 698 commits into from
Sep 7, 2021
Merged

Merge Synapse v1.41.1 #102

merged 698 commits into from
Sep 7, 2021

Conversation

richvdh and others added 30 commits July 14, 2021 14:41
A few things here:

* Build the debs for single distro for each PR, so that we can see if it breaks. Do the same for develop. Building all the debs ties up the GHA workers for ages.
* Stop building the debs for release branches. Again, it takes ages, and I don't think anyone is actually going to stop and look at them. We'll know they are working when we make an RC.
* Change the configs so that if we manually cancel a workflow, it actually does something.
This is part of fixing #6116: we want to put RC debs into a different place than release debs, so reprepro has to be able to tell them apart.
By referring to awaitables instead of deferreds.
This is to help with performance, where trying to connect to thousands
of hosts at once can consume a lot of CPU (due to TLS etc).

Co-authored-by: Brendan Abolivier <babolivier@matrix.org>
…#10399)

Our documentation has a history of using a document's name as a way to link to it, such as "See [workers.md]() for details". This makes sense when you're traversing a directory of files, but less sense when the files are abstracted away - as they are on the documentation website.

This PR changes the links to various documentation pages to something that fits better into the surrounding sentence, as you would when making any hyperlink on the web.
…rics (#10315)

Signed-off-by: Olivier Wilkinson (reivilibre) <olivier@librepush.net>
…10359)

The postgres statistics collector sometimes massively underestimates the
number of distinct state groups are in the `state_groups_state`, which
can cause postgres to use table scans for queries for multiple state
groups.

We fix this by manually setting `n_distinct` on the column.
…. (#10404)

These signatures would end up invalid since the joining/leaving/knocking
server would modify the response before calling send_{join,leave,knock}.
This adds an API for third-party plugin modules to implement account validity, so they can provide this feature instead of Synapse. The module implementing the current behaviour for this feature can be found at https://github.com/matrix-org/synapse-email-account-validity.

To allow for a smooth transition between the current feature and the new module, hooks have been added to the existing account validity endpoints to allow their behaviours to be overridden by a module.
This PR is tantamount to running 
```
pyupgrade --py36-plus --keep-percent-format `find synapse/ -type f -name "*.py"`
```

Part of #9744
… impression of retention given by the old R30 metric (#10332)

Signed-off-by: Olivier Wilkinson (reivilibre) <olivier@librepush.net>
…erface (#10386)

Port the third-party event rules interface to the generic module interface introduced in v1.37.0
Because DINUM had it before mainline, so the file names don't match.
Will need some fiddling with the database before updating to a mainlined
version.
Because DINUM had it before mainline, so the file names don't match.
Will need some fiddling with the database before updating to a mainlined
version.
Synapse 1.41.1 (2021-08-31)
===========================

Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.

Security advisory
-----------------

The following issues are fixed in v1.41.1.

- **[GHSA-3x4c-pq33-4w3q](GHSA-3x4c-pq33-4w3q) / [CVE-2021-39164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39164): Enumerating a private room's list of members and their display names.**

  If an unauthorized user both knows the Room ID of a private room *and* that room's history visibility is set to `shared`, then they may be able to enumerate the room's members, including their display names.

  The unauthorized user must be on the same homeserver as a user who is a member of the target room.

  Fixed by [52c7a51](matrix-org/synapse@52c7a51cf).

- **[GHSA-jj53-8fmw-f2w2](GHSA-jj53-8fmw-f2w2) / [CVE-2021-39163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39163): Disclosing a private room's name, avatar, topic, and number of members.**

  If an unauthorized user knows the Room ID of a private room, then its name, avatar, topic, and number of members may be disclosed through Group / Community features.

  The unauthorized user must be on the same homeserver as a user who is a member of the target room, and their homeserver must allow non-administrators to create groups (`enable_group_creation` in the Synapse configuration; off by default).

  Fixed by [cb35df9](matrix-org/synapse@cb35df940a), [\#10723](matrix-org/synapse#10723).

Bugfixes
--------

- Fix a regression introduced in Synapse 1.41 which broke email transmission on systems using older versions of the Twisted library. ([\#10713](matrix-org/synapse#10713))
@babolivier babolivier changed the title Merge Synapse v1.41.0 Merge Synapse v1.41.1 Sep 2, 2021
@babolivier
Copy link
Contributor Author

The CI failing is expected - this PR migrates it from BuildKite to GitHub Actions, but since it hasn't merged yet the project hasn't been removed from BuildKite yet, so it complains that it can't find the pipeline docs. All GitHub Actions tests seem to be passing.

Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking pretty good overall! I feel for you having to go through all those test fixes, but good job on getting through them all.

Just some small things below.

synapse/handlers/account_validity.py Outdated Show resolved Hide resolved
synapse/util/stringutils.py Outdated Show resolved Hide resolved
.github/workflows/tests.yml Show resolved Hide resolved
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@babolivier babolivier marked this pull request as ready for review September 7, 2021 13:20
@babolivier babolivier merged commit c53584a into dinsic Sep 7, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.