Synapse 1.11.1 is a security release which contains a fix impacting installations using Single Sign-On (i.e. SAML2 or CAS) for authentication. Administrators of such installations are encouraged to upgrade as soon as possible.

Admins not using Single Sign-On to authenicate users are not affected though may wish to upgrade anyway to pull in some unrelated bug fixes.

Thanks to Rhys Davies for the responsible disclosure.

Get the new release from github or any of the sources mentioned at https://github.com/matrix-org/synapse/blob/master/INSTALL.md.

Changelog since Synapse 1.11.0

Synapse 1.11.1 (2020-03-03)

This release includes a security fix impacting installations using Single Sign-On (i.e. SAML2 or CAS) for authentication. Administrators of such installations are encouraged to upgrade as soon as possible.

The release also includes fixes for a couple of other bugs.

Bugfixes

• Add a confirmation step to the SSO login flow before redirecting users to the redirect URL. (b2bd54a2, 65c73cdf, a0178df1)
• Fixed set a user as an admin with the admin API PUT /_synapse/admin/v2/users/<user_id>. Contributed by @dklimpel. (#6910)
• Fix bug introduced in Synapse 1.11.0 which sometimes caused errors when joining rooms over federation, with 'coroutine' object has no attribute 'event_id'. (#6996)