Synapse 1.11.1 is a security release which contains a fix impacting installations using Single Sign-On (i.e. SAML2 or CAS) for authentication. Administrators of such installations are encouraged to upgrade as soon as possible.

Admins not using Single Sign-On to authenticate users are not affected though may wish to upgrade anyway to pull in some unrelated bug fixes.

Thanks to Rhys Davies for the responsible disclosure.

Get the new release from github or any of the sources mentioned at https://github.com/matrix-org/synapse/blob/master/INSTALL.md.

Changelog since Synapse 1.11.0

Synapse 1.11.1 (2020-03-03)

This release includes a security fix impacting installations using Single Sign-On (i.e. SAML2 or CAS) for authentication. Administrators of such installations are encouraged to upgrade as soon as possible.

The release also includes fixes for a couple of other bugs.

Bugfixes

  • Add a confirmation step to the SSO login flow before redirecting users to the redirect URL. (b2bd54a2, 65c73cdf, a0178df1)
  • Fixed set a user as an admin with the admin API PUT /_synapse/admin/v2/users/<user_id>. Contributed by @dklimpel. (#6910)
  • Fix bug introduced in Synapse 1.11.0 which sometimes caused errors when joining rooms over federation, with 'coroutine' object has no attribute 'event_id'. (#6996)

The Foundation needs you

The Matrix.org Foundation is a non-profit and only relies on donations to operate. Its core mission is to maintain the Matrix Specification, but it does much more than that.

It maintains the matrix.org homeserver and hosts several bridges for free. It fights for our collective rights to digital privacy and dignity.

Support us