Erik Johnston

We were advised of a bug with the LDAP integration an hour ago that allowed unauthenticated login in certain circumstances when using an old version of the ldap3 python module (v0.9.x).

Currently, this is only known to affect the debian packages of synapse. A fix has been pushed, v0.18.2-2, and it is strongly advised for you to update as soon as possible.

Synapse installed using pip should not be affected, as pip will have bundled a newer version of the ldap3 module.

UPDATE: Synapse v0.18.3 released.

This issue only affects OS (not virtualenv) installations using v0.9.x of the ldap3 python package (e.g. Debian Stable (Jessie)).  Synapse itself specifies a dependency on >v1.0 of ldap3, but as the dependency is optional there is a risk that a stale operating system dependency will be pulled in instead.  To be safe, 0.18.3 of Synapse has just been released to fix the underlying problem for anyone using the older ldap3 package, regardless of their OS. https://github.com/matrix-org/synapse/releases/tag/v0.18.3 has the details.

Many thanks to Adrián Pérez for reporting the problem, and to hexa- for assistance in quickly solving it!

Signed announcement: synapse-debian-security-announcement

A small update for Synapse has been released: v0.17.2! It includes a few optimisations to reduce memory usage, as well as some security bug fixes. It's therefore recommended to upgrade as soon as possible.

The full change log can be found on the release page.

Synapse v0.17.1 is here! It includes a bunch of bug fixes an performance improvements, as well as a brand new notifications API added by Dave.

We've also been busy adding more metrics into the code to help spot various performance bottlenecks, which should help in the ongoing performance improvement effort.

This also includes security fixes regarding possible XSS attacks involving the media repository - please upgrade!

The full change log can be found on the release page.

Synapse v0.17.0 is finally here, which includes a couple of security fixes so please upgrade. Other notable new things are:

• A bunch of new admin APIs, including purging locally cached data (which has been long requested to help free up disk space). See the docs folder for more details.
• Device management APIs in preparation for end to end encryption.
• Better support for LDAP authentication, thanks to Martin Weinelt! (This may break existing LDAP configuration, see PR #843 for more details.)
• Lots and lots of bug fixes and various bits of performance work.

For a full list of everything that has changed see below or the release page.

I'd also like to thank Will Hunt, Martin Weinelt and Kent Shikama for their contributions!

Changes in synapse v0.17.0 (2016-08-08)

This release contains significant security bug fixes regarding authenticating events received over federation. PLEASE UPGRADE.

This release changes the LDAP configuration format in a backwards incompatible way, see PR #843 for details.

Changes:

• Add federation /version API (PR #990)
• Make psutil dependency optional (PR #992)

Bug fixes:

• Fix URL preview API to exclude HTML comments in description (PR #988)
• Fix error handling of remote joins (PR #991)

Changes in synapse v0.17.0-rc4 (2016-08-05)

Changes:

• Change the way we summarize URLs when previewing (PR #973)
• Add new /state_ids/ federation API (PR #979)
• Speed up processing of /state/ response (PR #986)

Bug fixes:

• Fix event persistence when event has already been partially persisted (PR #975, #983, #985)
• Fix port script to also copy across backfilled events (PR #982)

Changes in synapse v0.17.0-rc3 (2016-08-02)

Changes:

• Forbid non-ASes from registering users whose names begin with '_' (PR #958)
• Add some basic admin API docs (PR #963)

Bug fixes:

• Send the correct host header when fetching keys (PR #941)
• Fix joining a room that has missing auth events (PR #964)
• Fix various push bugs (PR #966, #970)
• Fix adding emails on registration (PR #968)

Changes in synapse v0.17.0-rc1 (2016-07-28)

This release changes the LDAP configuration format in a backwards incompatible way, see PR #843 for details.

Features:

• Add purge_media_cache admin API (PR #902)
• Add deactivate account admin API (PR #903)
• Add optional pepper to password hashing (PR #907, #910 by @KentShikama)
• Add an admin option to shared secret registration (breaks backwards compat) (PR #909)
• Add purge local room history API (PR #911, #923, #924)
• Add requestToken endpoints (PR #915)
• Add an /account/deactivate endpoint (PR #921)
• Add filter param to /messages. Add 'contains_url' to filter. (PR #922)
• Add device_id support to /login (PR #929)
• Add device_id support to /v2/register flow. (PR #937, #942)
• Add GET /devices endpoint (PR #939, #944)
• Add GET /device/{'{'}deviceId{'{'} (PR #943)
• Add update and delete APIs for devices (PR #949)

Changes:

• Rewrite LDAP Authentication against ldap3 (PR #843 by @mweinelt)
• Linearize some federation endpoints based on (origin, room_id) (PR #879)
• Remove the legacy v0 content upload API. (PR #888)
• Use similar naming we use in email notifs for push (PR #894)
• Optionally include password hash in createUser endpoint (PR #905 by @KentShikama)
• Use a query that postgresql optimises better for get_events_around (PR #906)
• Fall back to 'username' if 'user' is not given for appservice registration. (PR #927 by @Half-Shot)
• Add metrics for psutil derived memory usage (PR #936)
• Record device_id in client_ips (PR #938)
• Send the correct host header when fetching keys (PR #941)
• Log the hostname the reCAPTCHA was completed on (PR #946)
• Make the device id on e2e key upload optional (PR #956)
• Add r0.2.0 to the "supported versions" list (PR #960)
• Don't include name of room for invites in push (PR #961)

Bug fixes:

• Fix substitution failure in mail template (PR #887)
• Put most recent 20 messages in email notif (PR #892)
• Ensure that the guest user is in the database when upgrading accounts (PR #914)
• Fix various edge cases in auth handling (PR #919)
• Fix 500 ISE when sending alias event without a state_key (PR #925)
• Fix bug where we stored rejections in the state_group, persist all rejections (PR #948)
• Fix lack of check of if the user is banned when handling 3pid invites (PR #952)
• Fix a couple of bugs in the transaction and keyring code (PR #954, #955)

We've been made aware of a critical security issue in Synapse present in versions 0.12 through 0.16.1 inclusive which can allow users' accounts to be accessed by other unauthorized users on the same server. The issue was reported at 14:40 UTC on 2016-07-07 by Patrik Oldsberg at Ericsson (many thanks Patrik for discovering the issue and swiftly informing us). The source of the issue was identified, and a patch was created and distributed to package maintainers at roughly 16:30 UTC the same day.

We are not aware of any exploit in the wild, but it is critical for all synapse homeservers later than v0.12 to be upgraded immediately.

The github repository, as well as major 3rd party packages, have been updated with patched versions.

If an update is not available for your system you should manually apply the security patch that is included below. (This can be done by running patch -p1 sec.patch in the synapse source directory.)

The git commit SHA of the fix is: 067596d341a661e008195f7f3a6887ade7cafa32. This is included in release v0.16.1-r1.

Whilst Synapse (and Matrix) is still in beta, we nonetheless take such security issues seriously. In the coming days we will be reviewing how this vulnerability was introduced, and any steps that could have been taken to prevent the issue. We will also be auditing the remaining access control system to ensure there are no other existing issues. The full findings will be published when completed.

We apologise for the inconvenience of this emergency upgrade.

Thank you for your continued support, The Matrix Team

---

Various upgrade instructions:

• If you installed via git: git pull.
• If you installed via pip: pip install https://github.com/matrix-org/synapse/tarball/master
• If you installed via debian package: apt-get update; apt-get install matrix-synapse

After upgrade you will need to restart synapse.

Links to 3rd party packages: Arch: https://aur.archlinux.org/packages/matrix-synapse Fedora: https://obs.infoserver.lv/project/show/matrix-synapse

The patch against v0.16.x is: sec-0.16.patch, sec-0.16.patch.signed

The patch against v0.14.x is: sec-0.14.patch, sec-0.14.patch.signed

Signed announcement: fulldisclosure.signed

We have recently been made aware of a critical security issue in Synapse. Full disclosure of the issue and patch will be made at 2016-07-08 13:00 UTC. We are coordinating with package maintainers to ensure that patched versions of the packages will be available at that time.

If you run your own Synapse please be prepared to upgrade as soon as the patched versions are released.

Thank you for your time, patience and understanding while we resolve this issue, The Matrix Team

Signed pre-disclosure notice

Happy Friday everyone!

Over the past two weeks, we have been hunting down some more performance issues in Synapse, as well as fixing a few potential bugs in the new backfill feature that we introduced in 0.9.1. For those that were having issues, this release should really help speed up when your server joins larger remote rooms.

We have also been busy hacking on end-to-end encryption, which is very exciting. Hopefully we will have more details to share about that soon!

Get v0.9.2 now from http://github.com/matrix-org/synapse.

Changes in synapse v0.9.2 (2015-06-12) ======================================

General:

• Use ultrajson for json (de)serialisation when a canonical encoding is not required. Ultrajson is significantly faster than simplejson in certain circumstances.
• Use connection pools for outgoing HTTP connections.
• Process thumbnails on separate threads.

Configuration:

• Add option, gzip_responses, to disable HTTP response compression.

Federation:

• Improve resilience of backfill by ensuring we fetch any missing auth events.
• Improve performance of backfill and joining remote rooms by removing unnecessary computations. This included handling events we had previously handled as well as attempting to compute the current state for outliers.