Synapse 1.41.1 (2021-08-31)
Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.
Security advisory
The following issues are fixed in v1.41.1.
-
GHSA-3x4c-pq33-4w3q / CVE-2021-39164: Enumerating a private room's list of members and their display names.
If an unauthorized user both knows the Room ID of a private room and that room's history visibility is set to
shared, then they may be able to enumerate the room's members, including their display names.The unauthorized user must be on the same homeserver as a user who is a member of the target room.
Fixed by 52c7a51cf.
-
GHSA-jj53-8fmw-f2w2 / CVE-2021-39163: Disclosing a private room's name, avatar, topic, and number of members.
If an unauthorized user knows the Room ID of a private room, then its name, avatar, topic, and number of members may be disclosed through Group / Community features.
The unauthorized user must be on the same homeserver as a user who is a member of the target room, and their homeserver must allow non-administrators to create groups (
enable_group_creationin the Synapse configuration; off by default).Fixed by cb35df940a, #10723.
Bugfixes
- Fix a regression introduced in Synapse 1.41 which broke email transmission on systems using older versions of the Twisted library. (#10713)