Synapse 1.93.0 (2023-09-26)

No significant changes since 1.93.0rc1.

Security advisory

The following issues are fixed in 1.93.0 (and RCs).

GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity
Temporary storage of plaintext passwords during password changes.
GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity
Improper validation of receipts allows forged read receipts.

See the advisories for more details. If you have any questions, email security@matrix.org.

Add automatic purge after all users have forgotten a room. (#15488)
Restore room purge/shutdown after a Synapse restart. (#15488)
Support resolving homeservers using matrix-fed DNS SRV records from MSC4040. (#16137)
Add the ability to use G (GiB) and T (TiB) suffixes in configuration options that refer to numbers of bytes. (#16219)
Add span information to requests sent to appservices. Contributed by MTRNord. (#16227)
Add the ability to enable/disable registrations when using CAS. Contributed by Aurélien Grimpard. (#16262)
Allow the /notifications endpoint to be routed to workers. (#16265)
Enable users to easily unsubscribe to notifications emails via the List-Unsubscribe header. (#16274)
Report whether a user is locked in the List Accounts admin API, and exclude locked users by default. (#16328)

Fix a long-standing bug where multi-device accounts could cause high load due to presence. (#16066, #16170, #16171, #16172, #16174)
Fix a long-standing bug where appservices using MSC2409 to receive to_device messages would only get messages for one user. (#16251)
Fix bug when using workers where Synapse could end up re-requesting the same remote device repeatedly. (#16252)
Fix long-standing bug where we kept re-requesting a remote server's key repeatedly, potentially causing delays in receiving events over federation. (#16257)
Avoid temporary storage of sensitive information. (#16272)
Fix bug introduced in Synapse 1.49.0 when using dehydrated devices (MSC2697) and refresh tokens. Contributed by Hanadi. (#16288)
Fix a long-standing bug where invalid receipts would be accepted. (#16327)
Use standard name for UTF-8 charset in emails. (#16329)
Don't try refetching device lists for users on remote hosts that are marked as "down". (#16298)

Fix typos in the documentation. (#16282)
Link to the Alpine Linux community package for Synapse. (#16304)
Use string for federation_client_minimum_tls_version documentation examples. Contributed by @jcgruenhage. (#16353)

Allow modules to delete rooms. (#15997)
Add GCC and GNU Make to the Nix flake development environment so that ruff can be compiled. (#16090, #16263)
Fix type checking when using the new version of Twisted. (#16235)
Delete device messages asynchronously and in staged batches using the task scheduler. (#16240, #16311, #16312, #16313)
Bump minimum supported Rust version to 1.61.0. (#16248)
Update rust to version 1.71.1 in the nix development environment. (#16260)
Simplify server key storage. (#16261)
Reduce CPU overhead of change password endpoint. (#16264)
Stop purging from tables slated for removal. (#16273)
Improve type hints. (#16276, #16301, #16325, #16326)
Raise setuptools_rust version cap to 1.7.0. (#16277)
Fix using the new task scheduler causing lots of CPU to be used. (#16278)
Upgrade CI run of Python 3.12 from rc1 to rc2. (#16280)
Include values in SQL debug when using execute_values with Postgres. (#16281)
Enable additional linting checks. (#16283)
Refactor receipts_graph Postgres transactions to stop error messages. (#16299)
Small improvements to logging in replication code. (#16309)
Remove a reference cycle in background processes. (#16314)
Only use literal strings for background process names. (#16315)
Refactor get_user_by_id. (#16316)
Speed up task to delete to-device messages. (#16318)
Avoid patching code in tests. (#16349)
Test against PostgreSQL 16. (#16351)